-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSLStream should support cancelling certificate chain building with cancellation token #35839
Comments
It's certainly not cancellable on macOS, since neither SecTrustEvaluate or SecTrustEvaluateWithError are capable of being cancelled. |
Well, SslStream could build the chain via Task.Run, I suppose. |
Tagging subscribers to this area: @dotnet/ncl |
That would effectively cancel the wait but not the actual operation. When the caller gets back control after the resulting OperationCanceledException, what happens if they then dispose stuff that's being used? Does anything break, or is everything properly protected by SafeHandles? Or what happens if they retry the operation while the previous operation is still in flight? Also, how long do these operations typically take, and are they parallelizable? If you are considering using async-over-sync, I'm wondering if it makes sense to use one or more dedicated threads rather than using the thread pool. |
Any certificates used as input should be being used as SafeHandles inside the execution already to prevent system corruption from a parallel/external dispose. Disposing the chain object will do nothing if it hasn't yet completed.
If it's on the same X509Chain instance, both operations will then assign the ChainElements, ChainStatus, and SafeHandle properties. So the same object should not be reused (aka it's definitely not thread safe).
Sub-hundred milliseconds. Except when they need the network. Then sub-hundred-milliseconds + network time (where E(x) is low, but Theta(x) is chainPolicy.UrlRetrievalTimeout (default: effectively infinite) ... except UrlRetrievalTimeout isn't respected on macOS).
Yep |
The manual fetches (on OSX and Linux) could also be fully asynchronous in the SSL Stream case but I didn't want to pollute this issue with that 😄 |
There aren't manual fetches on macOS. Only Linux. |
should we close this in favor of #35844? If we have options to pass complete chain to SslStream this should not be big issue, right? |
We can avoid making the call completely right? We can also set a timeout if we choose to resolve ourselves yes? |
yes, I think so, at least for cases in our control. X509ChainPolicy.UrlRetrievalTimeout is what you can use to control timeout if you choose X509Chain to build/fetch it for you. I did quick search through runtime repo and I did not see test verifying the expiration. |
I don't know if this is still correct but I was under the impression that
|
may not be "in our control". That still may not matter if full chain is provided. |
Triage: Verify it works correctly, then close. |
I was planning to close this with #35844 "pre-validated immutable full certificate chain" and add test to verify that once certificate context was built. (Both calls to BuildNewChain @davidfowl mentioned are gone) That proved to be challenging as even if the server does not do I/O, client will and there is no good way how to separate client and server with current test infrastructure. I think this should be revisited beyond just the cancelation. I think we should find a better way how to expose verification options. Perhaps adding option to just give certificate to callback or exposing |
Client and server now have option to pass in |
Certificate chain building and verification should be cancellable AuthenticateAs* on OSX and Linux:
runtime/src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs
Line 325 in b44492d
runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
Line 213 in 4bdf468
The text was updated successfully, but these errors were encountered: