Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/7.0] fix TLS resume with client certificates on Linux #81795

Merged
merged 1 commit into from
Feb 8, 2023
Merged

[release/7.0] fix TLS resume with client certificates on Linux #81795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,8 @@ internal static SafeSslHandle AllocateSslHandle(SslAuthenticationOptions sslAuth
if (!Interop.Ssl.Capabilities.Tls13Supported ||
string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
sslAuthenticationOptions.CertificateContext != null ||
sslAuthenticationOptions.CertSelectionDelegate != null)
sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
sslAuthenticationOptions.CertSelectionDelegate != null)
{
cacheSslContext = false;
}
Expand Down
168 changes: 168 additions & 0 deletions src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using System.IO;
using System.Threading.Tasks;
using System.Net.Test.Common;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

using Xunit;
Expand All @@ -16,11 +17,13 @@ public class SslStreamMutualAuthenticationTest : IDisposable
{
private readonly X509Certificate2 _clientCertificate;
private readonly X509Certificate2 _serverCertificate;
private readonly X509Certificate2 _selfSignedCertificate;

public SslStreamMutualAuthenticationTest()
{
_serverCertificate = Configuration.Certificates.GetServerCertificate();
_clientCertificate = Configuration.Certificates.GetClientCertificate();
_selfSignedCertificate = Configuration.Certificates.GetSelfSignedServerCertificate();
}

public void Dispose()
Expand Down Expand Up @@ -80,6 +83,171 @@ public async Task SslStream_RequireClientCert_IsMutuallyAuthenticated_ReturnsTru
}
}

[ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))]
[PlatformSpecific(TestPlatforms.Linux)] // https://github.com/dotnet/runtime/issues/65563
[Theory]
public async Task SslStream_ResumedSessionsClientCollection_IsMutuallyAuthenticatedCorrect(
SslProtocols protocol)
{
var clientOptions = new SslClientAuthenticationOptions
{
EnabledSslProtocols = protocol,
RemoteCertificateValidationCallback = delegate { return true; },
TargetHost = Guid.NewGuid().ToString("N")
};

// Create options with certificate context so TLS resume is possible on Linux
var serverOptions = new SslServerAuthenticationOptions
{
ClientCertificateRequired = true,
ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null),
RemoteCertificateValidationCallback = delegate { return true; },
EnabledSslProtocols = protocol
};

for (int i = 0; i < 5; i++)
{
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
bool expectMutualAuthentication = (i % 2) == 0;

clientOptions.ClientCertificates = expectMutualAuthentication ? new X509CertificateCollection() { _clientCertificate } : null;
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions),
server.AuthenticateAsServerAsync(serverOptions));

// mutual authentication should only be set if client set certificate
Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated);
Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated);

if (expectMutualAuthentication)
{
Assert.NotNull(server.RemoteCertificate);
}
else
{
Assert.Null(server.RemoteCertificate);
}
};
}
}

[ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))]
[PlatformSpecific(TestPlatforms.Linux)] // https://github.com/dotnet/runtime/issues/65563
[Theory]
public async Task SslStream_ResumedSessionsCallbackSet_IsMutuallyAuthenticatedCorrect(
SslProtocols protocol)
{
var clientOptions = new SslClientAuthenticationOptions
{
EnabledSslProtocols = protocol,
RemoteCertificateValidationCallback = delegate { return true; },
TargetHost = Guid.NewGuid().ToString("N")
};

// Create options with certificate context so TLS resume is possible on Linux
var serverOptions = new SslServerAuthenticationOptions
{
ClientCertificateRequired = true,
ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null),
RemoteCertificateValidationCallback = delegate { return true; },
EnabledSslProtocols = protocol
};

for (int i = 0; i < 5; i++)
{
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
bool expectMutualAuthentication = (i % 2) == 0;

clientOptions.LocalCertificateSelectionCallback = (s, t, l, r, a) =>
{
return expectMutualAuthentication ? _clientCertificate : null;
};

await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions),
server.AuthenticateAsServerAsync(serverOptions));

// mutual authentication should only be set if client set certificate
Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated);
Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated);

if (expectMutualAuthentication)
{
Assert.NotNull(server.RemoteCertificate);
}
else
{
Assert.Null(server.RemoteCertificate);
}
};
}
}

[ClassData(typeof(SslProtocolSupport.SupportedSslProtocolsTestData))]
[PlatformSpecific(TestPlatforms.Linux)] // https://github.com/dotnet/runtime/issues/65563
[Theory]
public async Task SslStream_ResumedSessionsCallbackMaybeSet_IsMutuallyAuthenticatedCorrect(
SslProtocols protocol)
{
var clientOptions = new SslClientAuthenticationOptions
{
EnabledSslProtocols = protocol,
RemoteCertificateValidationCallback = delegate { return true; },
TargetHost = Guid.NewGuid().ToString("N")
};

// Create options with certificate context so TLS resume is possible on Linux
var serverOptions = new SslServerAuthenticationOptions
{
ClientCertificateRequired = true,
ServerCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, null),
RemoteCertificateValidationCallback = delegate { return true; },
EnabledSslProtocols = protocol
};

for (int i = 0; i < 5; i++)
{
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
bool expectMutualAuthentication = (i % 2) == 0;

if (expectMutualAuthentication)
{
clientOptions.LocalCertificateSelectionCallback = (s, t, l, r, a) => _clientCertificate;
}
else
{
clientOptions.LocalCertificateSelectionCallback = null;
}

await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions),
server.AuthenticateAsServerAsync(serverOptions));

// mutual authentication should only be set if client set certificate
Assert.Equal(expectMutualAuthentication, server.IsMutuallyAuthenticated);
Assert.Equal(expectMutualAuthentication, client.IsMutuallyAuthenticated);

if (expectMutualAuthentication)
{
Assert.NotNull(server.RemoteCertificate);
}
else
{
Assert.Null(server.RemoteCertificate);
}
};
}
}

private static bool AllowAnyCertificate(
object sender,
X509Certificate certificate,
Expand Down