Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/7.0] Fix SslStream.IsMutuallyAuthenticated #95733

Merged
merged 5 commits into from
Jan 10, 2024
Merged

[release/7.0] Fix SslStream.IsMutuallyAuthenticated #95733

merged 5 commits into from
Jan 10, 2024

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Dec 7, 2023
edited by karelz
Loading

This is essentially the same as 6.0 PR #92684, but for 7.0.

This is backport of PR #88488 and PR #79128 and parts of PR #63945.
It also brings spirit of test-only PR #68009 to get test coverage for TLS 1.3.

This only covers Windows to minimize the code delta i.e. it does not bring all the changes from PR #63945 to cover Linux & macOS.

Customer Impact

The property IsMutuallyAuthenticated on SslStream indicates if mutual TLS authentication is performed with client certificate. Current 6.0 implementation can get confused in several cases, so the value is unreliable for security audits.

Testing

This brings all the current tests from 8.0 branch.
Customer validated on private bits in production - neither functional, nor perf regression.

Risk

Medium.
While the change is quite large, it should be specific just to that property i.e. it should not impact TLS handshake or any other I/O on SslStream. Since the IsMutuallyAuthenticated is already unreliable this should bring it up to 8.0 code base to fix all known cases when it is incorrect. To reduce complexity, this fixes only Windows as macOS & Linux changes from PR #68009 had more significant impact on functionality and flow.

wfurt and others added 3 commits December 7, 2023 13:11
@wfurt @rzikm @simonrozsival
fix SslStream.IsMutuallyAuthenticated with cached credentials (dotnet…
a6b3a86 
…#79128)

* fix SslStream.IsMutuallyAuthenticated with cached credentials

* nano

* protocol

* fix test

* Apply suggestions from code review

Co-authored-by: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Co-authored-by: Simon Rozsival <simon@rozsival.com>

* fix CertificateValidationClientServer_EndToEnd_Ok test

Co-authored-by: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Co-authored-by: Simon Rozsival <simon@rozsival.com>
@wfurt @rzikm
fix IsMutuallyAuthenticated with NegotiateClientCertificateAsync (dot…
453a97a 
…net#88488)
@rzikm
Port rest of the changes from dotnet#79898
8db62ef
@ghost ghost assigned rzikm Dec 7, 2023
@ghost
Copy link

ghost commented Dec 7, 2023

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

null

Author: rzikm
Assignees: rzikm
Labels:

area-System.Net.Security
Milestone: -

@rzikm rzikm changed the title IsMutualAuthFix-release7.0 [release/7.0] Fix SslStream.IsMutuallyAuthenticated Dec 7, 2023
@rzikm rzikm requested a review from wfurt December 7, 2023 12:53
@rzikm
Copy link
Member Author

rzikm commented Dec 7, 2023

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
Member Author

rzikm commented Dec 7, 2023

/azp run runtime-extra-platforms

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@build-analysis build-analysis bot mentioned this pull request Dec 7, 2023
Closed
@runfoapp runfoapp bot mentioned this pull request Dec 7, 2023
Closed
This was referenced Dec 7, 2023
Closed
Open
Closed
Closed
Closed
Closed
Open
Open
Closed
Closed
Closed
@rzikm @stephentoub
Update src/libraries/System.Net.Security/src/System/Net/CertificateVa…
6f9b430 
…lidationPal.Windows.cs

Co-authored-by: Stephen Toub <stoub@microsoft.com>
@karelz karelz added this to the 7.0.x milestone Jan 9, 2024
@karelz karelz added the Servicing-consider Issue for next servicing release review label Jan 9, 2024
@karelz
Copy link
Member

karelz commented Jan 10, 2024

Approved by Tactics (@SteveMCarroll) on 1/9 via email. Adding Servicing-approved label accordingly.

@karelz karelz added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Jan 10, 2024
@rzikm
Copy link
Member Author

rzikm commented Jan 10, 2024

Build failures are either known or unrelated.

@rzikm rzikm merged commit b7b55af into dotnet:release/7.0-staging Jan 10, 2024
98 of 114 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Feb 10, 2024
@karelz karelz modified the milestones: 7.0.x, 7.0.16 Jun 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wfurt wfurt wfurt approved these changes

@stephentoub stephentoub stephentoub approved these changes

Assignees

@rzikm rzikm

Labels
area-System.Net.Security Servicing-approved Approved for servicing release
Projects
None yet
Milestone
7.0.16
Development

Successfully merging this pull request may close these issues.
4 participants
@rzikm @karelz @stephentoub @wfurt