Enable server-side OCSP stapling on Linux

[bartonjs]

A few code reorganization notes:

• The certificate asset download code from System.Security.Cryptography has been moved to a partial class in src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs to be shared with System.Net.Security
  • It's partial so that CertificateAssetDownloader's tracing can be plugged in via partial methods.
• OpenSSL Interop.OCSP.cs got split into Interop.OCSP.cs (only using SafeOcspResponseHandle) and Interop.OCSP.Chain.cs (also using SafeX509StoreCtxHandle)

With this change, SslStreamCertificateContext.Create on Linux will do a background
fetch of an OCSP response to staple to the Server Certificate in the Server Hello
portion of the handshake. This fetch is skipped if the context is built with offline:true.

Contexts that live for a long time and see regular activity should always have a response
ready to deliver to clients that ask for one. Particularly idle contexts that are retrieving
OCSP responses that have particularly short lifetimes may stop stapling because they may end up
not getting the activity they need to initiate a new request before the current response expires.

Contributes to #33377.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

A few code reorganization notes:

• The certificate asset download code from System.Security.Cryptography has been moved to a partial class in src/libraries/Common/src/System/Net/Http/X509ResourceClient.cs to be shared with System.Net.Security
  • It's partial so that CertificateAssetDownloader's tracing can be plugged in via partial methods.
• OpenSSL Interop.OCSP.cs got split into Interop.OCSP.cs (only using SafeOcspResponseHandle) and Interop.OCSP.Chain.cs (also using SafeX509StoreCtxHandle)

With this change, SslStreamCertificateContext.Create on Linux will do a background
fetch of an OCSP response to staple to the Server Certificate in the Server Hello
portion of the handshake. This fetch is skipped if the context is built with offline:true.

Contexts that live for a long time and see regular activity should always have a response
ready to deliver to clients that ask for one. Particularly idle contexts that are retrieving
OCSP responses that have particularly short lifetimes may stop stapling because they may end up
not getting the activity they need to initiate a new request before the current response expires.

Author:	bartonjs
Assignees:	-
Labels:	area-System.Net.Security, os-linux
Milestone:	7.0.0

[wfurt]

generally looks good to me.
We seems to fail the build on some configurations.
Quic failures are known and unrelated.

[wfurt]

LGTM

[bartonjs]

Looks like there's some build configuration where time_t is long instead of long long, and that's messing with the export as int64_t. Looking into it.

[stephentoub]

I don't remember why we do all this custom redirect handling rather than using the built-in support. Do you?

[vcsjones]

Because we cannot permit HTTP -> HTTPS redirects. The scheme has to remain HTTP. #45010 has more background, and #48221 has the first fix for it.

[stephentoub]

We should really consider adding #45364, @karelz. This is an awful lot of custom logic required.

[karelz]

@stephentoub are you suggesting in .NET 7.0?
I think we might be able to make it happen. Let's bring it up in next meeting.

[stephentoub]

are you suggesting in .NET 7.0?

If we have time.

[stephentoub]

We've had multiple requests for this functionality, e.g. #1658. How close is this to what's needed for that? I'm wondering if we should use this as an opportunity to get it into the right shape and move that issue to api-ready-for-review so we can get it out in 7.

[stephentoub]

Can you elaborate on why it's ok for this to be fire-and-forget?

[bartonjs]

Consistent with other platforms, the server side of OCSP stapling is bestish effortish. On Windows they equivalently fire off an async download, and whenever there's a new session and the download has completed they attach it... if it didn't complete (or it failed), then it isn't.

[stephentoub]

Same here... why is it ok that this is fire-and-forget?

[stephentoub]

This never needs to transition from non-null back to null?

[bartonjs]

_pendingDownload goes back to null if it completes successfully. On... line.... that got deleted.

[stephentoub]

If it's faulted, will someone somewhere have accessed its Exception or otherwise observed what the error was?

[bartonjs]

Nope. If it faulted (most likely due to a timeout or network error) we'll just let another one spin up.