Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable sending NT Authority in TLS handshake if specific trust was specified #60988

Merged
merged 5 commits into from
Nov 2, 2021
Merged

disable sending NT Authority in TLS handshake if specific trust was specified #60988

merged 5 commits into from
Nov 2, 2021

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Oct 28, 2021

When Windows sends trusted CA list in handshake it by default includes NT Authority as special case.
I'm not sure if anybody depends on it but it seems to break some use cases with new API from #45456.
Particularly attempt to send empty trust list seems to break .NET clients when only NT Authority is present.
That may be issue with the client selection but we don't have control over all of them.

To deal with it, I added explicit SCH_CRED_NO_SYSTEM_MAPPER flag to suppress that channel behavior when SslCertificateTrust is provided and sendTrustInHandshake is set to true. (SslStreamPal.Windows.cs)
Alternatively, we could set it always but I'm concern about backward compatibility. (SslCertificateTrust was introduced in 6.0 so changing it there should be ok)

Since this is done on credential handle, we need to also update the caching logic to not mingle that case with others.

We don't have any automated tests since this still depends on Windows registry setting. I did manual tests and verified that the NT Authority is not in the CA list as well as pointing to empty certificate store sends empty list.

fixes #60949

@wfurt wfurt requested a review from a team October 28, 2021 21:07
@wfurt wfurt self-assigned this Oct 28, 2021
@ghost
Copy link

ghost commented Oct 28, 2021

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

When Windows sends trusted CA list in handshake it by default includes NT Authority as special case.
I'm not sure if anybody depends on it but it seems to break some use cases with new API from #45456.
Particularly attempt to send empty trust list seems to break .NET clients when only NT Authority is present.
That may be issue with the client selection but we don't have control over all of them.

To deal with it, I added explicit SCH_CRED_NO_SYSTEM_MAPPER flag to suppress that channel behavior when SslCertificateTrust is provided and sendTrustInHandshake is set to true. (SslStreamPal.Windows.cs)
Alternatively, we could set it always but I'm concern about backward compatibility. (SslCertificateTrust was introduced in 6.0 so changing it there should be ok)

Since this is done on credential handle, we need to also update the caching logic to not mingle that case with others.

We don't have any automated tests since this still depends on Windows registry setting. I did manual tests and verified that the NT Authority is not in the CA list as well as pointing to empty certificate store sends empty list.

fixes #60949

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security
Milestone: -

scalablecory
scalablecory approved these changes Oct 29, 2021
View reviewed changes
Copy link
Contributor

@scalablecory scalablecory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Give in to the null conditional operator, @wfurt! :)

LGTM either way.

src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs Outdated Show resolved Hide resolved
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs Outdated Show resolved Hide resolved
@Wraith2
Copy link
Contributor

Wraith2 commented Oct 29, 2021

Give in to the null conditional operator, @wfurt! :)

The problem with the null conditional operator is that pesky literal `== true' at the end to force the type to bool. The brevity is better but the clarity is poor imo.

@runfoapp runfoapp bot mentioned this pull request Oct 29, 2021
Closed
@wfurt
Copy link
Member Author

wfurt commented Oct 29, 2021

Give in to the null conditional operator, @wfurt! :)

The problem with the null conditional operator is that pesky literal `== true' at the end to force the type to bool. The brevity is better but the clarity is poor imo.

I don't really care one way or other. Perhaps @stephentoub or @geoffkizer can chime in with preference.

@stephentoub
Copy link
Member

Small preference for the null conditional, but either way is ok.

@wfurt @scalablecory
Apply suggestions from code review
4199607 
Co-authored-by: Cory Nelson <phrosty@gmail.com>
@geoffkizer
Copy link
Contributor

The problem with the null conditional operator is that pesky literal `== true' at the end to force the type to bool. The brevity is better but the clarity is poor imo.

I agree with this. I always find it weird to see "== true" because normally it's unnecessary. It makes me have to stop and think about what's going on.

An alternative that still uses the null conditional operator, but doesn't use "== true", is:

    bool sendTrustedList = _sslAuthenticationOptions.CertificateContext!.Trust?._sendTrustInHandshake ?? false;

I prefer this slightly, since the use of "?? false" instead of "== true" makes it obvious that you're handling the null case.

Also, for the reverse case where you want to treat null as true, "?? true" seems much clearer to me than "!= false", which makes my head hurt even more than "== true". That doesn't apply here though.

@wfurt
Copy link
Member Author

wfurt commented Nov 1, 2021

An alternative that still uses the null conditional operator, but doesn't use "== true", is:

I was thinking about it more and I like this best @geoffkizer. It is basically use "this" or "default".

@wfurt wfurt merged commit 7160079 into dotnet:main Nov 2, 2021
@wfurt wfurt deleted the trust_60949 branch November 2, 2021 05:20
@karelz karelz added this to the 7.0.0 milestone Nov 4, 2021
@wfurt
Copy link
Member Author

wfurt commented Nov 17, 2021

/backport to release/6.0

@github-actions
Copy link
Contributor

Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/1469614283

@github-actions github-actions bot mentioned this pull request Nov 17, 2021
Merged
@karelz karelz mentioned this pull request Dec 16, 2021
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Dec 17, 2021
@bartonjs bartonjs added cryptographic-docs-impact needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration labels Aug 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Wraith2 Wraith2 Wraith2 left review comments

@scalablecory scalablecory scalablecory approved these changes

Assignees

@wfurt wfurt

Labels
area-System.Net.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

SslStream: Don't include "NT AUTHORITY" in Distinguished Names list of CertificateRequest.
7 participants
@wfurt @Wraith2 @stephentoub @geoffkizer @scalablecory @karelz @bartonjs