Skip to content

Add root store directory fallback on Linux/Unix. #52925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bartonjs merged 2 commits into from
May 27, 2021
Merged

Add root store directory fallback on Linux/Unix. #52925

bartonjs merged 2 commits into from
May 27, 2021

Conversation

@bartonjs
Copy link
Member

@bartonjs bartonjs commented May 18, 2021

When reading the root store directory for the first time, if
the read produced no data and the SSL_CERT_DIR environment
variable wasn't set, see if /etc/ssl/certs gives a different answer.

This change also changes the LastWriteTime model for caching
to not pin the symlink target on the first read, and support the
bundle file being a symlink (and the target being updated to
trigger refresh).

Fixes #38730.

@bartonjs
Add root store directory fallback on Linux/Unix.
3b5094f 
When reading the root store directory for the first time, if
the read produced no data and the SSL_CERT_DIR environment
variable wasn't set, see if /etc/ssl/certs gives a different answer.

This change also changes the LastWriteTime model for caching
to not pin the symlink target on the first read, and support the
bundle file being a symlink (and the target being updated to
trigger refresh).
@ghost ghost added the area-System.Security label May 18, 2021
@ghost
Copy link

ghost commented May 18, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

When reading the root store directory for the first time, if
the read produced no data and the SSL_CERT_DIR environment
variable wasn't set, see if /etc/ssl/certs gives a different answer.

This change also changes the LastWriteTime model for caching
to not pin the symlink target on the first read, and support the
bundle file being a symlink (and the target being updated to
trigger refresh).

Fixes #38730.

Author: bartonjs
Assignees: -
Labels:

area-System.Security
Milestone: -

@GrabYourPitchforks
Copy link
Member

GrabYourPitchforks commented May 20, 2021

Nit: Consider adding a comment to line 91 along the lines of "This is an unsynchronized access to the Elapsed property, which means we could observe a torn write. But the worst case is that there's a brief window where we miss the expiration notification. This is an acceptable risk."

@bartonjs bartonjs merged commit 28d3f31 into dotnet:main May 27, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Jun 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@GrabYourPitchforks GrabYourPitchforks GrabYourPitchforks approved these changes

Assignees

No one assigned

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AuthenticationException on some Linux distros and root cert setups starting 3.0

2 participants

@bartonjs @GrabYourPitchforks