Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ask SChannel for stapled OCSP when the client will do revocation #71570

Merged
merged 2 commits into from
Jul 12, 2022
Merged

Ask SChannel for stapled OCSP when the client will do revocation #71570

merged 2 commits into from
Jul 12, 2022

Conversation

bartonjs
Copy link
Member

@bartonjs bartonjs commented Jul 2, 2022
edited
Loading

I haven't been able to diagnose why Windows in the Server role doesn't seem to want to participate in OCSP Stapling (at least during tests), but with this change the clients will get the benefits of stapled OCSP when the server participates.

The change essentially boils down to:

  • Set SCH_CRED_REVOCATION_CHECK_END_CERT if we're going to ask for revocation (so SChannel sends the status_request:OCSP extension in the handshake)
  • Test that we see certificate property 70 on Windows when we expect to.

Everything else is plumbing to make that happen.

Contributes to #33377.

@ghost ghost assigned bartonjs Jul 2, 2022
@ghost
Copy link

ghost commented Jul 2, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

I haven't been able to diagnose why Windows in the Server role doesn't seem to want to participate in OCSP Stapling (at least during tests), but with this change the clients will get the benefits of stapled OCSP when the server participates.

The change essentially boils down to:

  • Set SCH_CRED_REVOCATION_CHECK_END_CERT if we're going to ask for revocation (so SChannel sends the status_request:OCSP extension in the handshake)
  • Test that we see certificate property 70 on Windows when we expect to.

Everything else is plumbing to make that happen.

Author: bartonjs
Assignees: bartonjs
Labels:

area-System.Net.Security
Milestone: -

@bartonjs
Copy link
Member Author

bartonjs commented Jul 4, 2022

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@bartonjs bartonjs requested a review from wfurt July 6, 2022 22:00
@wfurt
Copy link
Member

wfurt commented Jul 7, 2022

I'm OOF @bartonjs. I should be able to look at it early next week.

wfurt
wfurt reviewed Jul 11, 2022
View reviewed changes
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
flags |=
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_CRED_REVOCATION_CHECK_END_CERT |
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_CRED_IGNORE_NO_REVOCATION_CHECK |
Interop.SspiCli.SCHANNEL_CRED.Flags.SCH_CRED_IGNORE_REVOCATION_OFFLINE;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the mode is X509RevocationMode.Online should we ignore failures? While that may be convenient I'm wondering if that meets security expectations.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're ignoring any failures out of SChannel anyways, and we rebuild the chain using the data they provide us.

wfurt
wfurt approved these changes Jul 12, 2022
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bartonjs bartonjs merged commit f0845bd into dotnet:main Jul 12, 2022
@bartonjs bartonjs deleted the sslstream_staple_windows_client branch July 12, 2022 16:51
@karelz karelz added this to the 7.0.0 milestone Jul 19, 2022
@bartonjs bartonjs mentioned this pull request Jul 29, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Aug 18, 2022
@bartonjs bartonjs added the needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration label Aug 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wfurt wfurt wfurt approved these changes

@stephentoub stephentoub stephentoub approved these changes

Assignees

@bartonjs bartonjs

Labels
area-System.Net.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration os-windows
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bartonjs @wfurt @stephentoub @karelz