-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Controlling TRUSTED_ISSUERS in SslStream (platform differences between Unix & Windows) #23514
Comments
The above issue is a redesign of the SSLStream api to allow for easy edition of such knobs and levers. In light of that (and if it goes through which I believe it should) how would you like the config point to look? It might also be important with SNI to be able to provide a map of host -> calist as different hostnames might want different certs. |
It would be easiest if we could just get an extension point, similar to the current ones with |
The issue is around if you want to have a different list per SNI host. OpenSSL will let you have a callback but as far as I can tell (and those at MS have yet go say otherwise) you need an upfront list for SChannel. Eitherway I agree some way of configuring it is required as Http/2 disallows renegotiation so you need the correct client cert in the initial handshake or client certs will be completely useless. |
The current problem doesn't relate to SNI or renegotiation or OpenSSL. It is the framework making all of these decisions, the problem is that there is no way to get there. |
I get that :) My point was merely we need to put in context of SNI and consider that as part of the design. |
Also if you slot this in tmwith the SNI change which needs an API review as well you might get it quicker. As both need an API review ;) |
Another thing to add here. When testing, we noticed that we had 21KB of data in the SSL handshake just to send the TRUSTED_ISSUERS, I don't think that this is expected. |
No considering the trusted CA extension is a list of either names (x509 names) or cert hashes (fingerprints) even with the small encryption and header overhead you would be looking at 48 ca' s minimum. |
I'm running the same command on the same server in both Linux and Windows:
In Windows, I get: So that is roughly one packet to read the information. In Linux, I get:
I attached the raw output of the command to this message. Note that the Linux machine is a plain Ubuntu machine without any special configuration |
Would is be possible to add a flag to disable this behavior? |
Is there any progress here? The |
Hi, any response on this? |
@ayende When the Linux version was written it was matching behavior with Windows. If Windows has since changed behaviors (which may have "already happened" but in a newer OS than was being baselined) then we may want to change the Linux behavior, but the reason that we did it was for consistency. |
As far as I can see, (tested on Win 10 & Win 2016), this is the default Windows behavior. |
@Priya91 thinks this is in crypto APIs, not in SslStream. |
https://github.com/dotnet/corefx/blob/a77d5aae4790689b86a9910ca981825b72daa9a8/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs#L99 (AllocateSslContext). It's definitely SslStream-specific code. It was written to match SslStream from Windows Server 2012 R2 (IIRC), and Windows 10 seems to have changed the default behavior within SChannel, which results in changing how SslStream works here on Windows. If Networking/SslStream wants to match Windows 10 (after confirming with security feature processes that the change is the correct one to make) just delete the method call, and the method (and any otherwise abandoned methods). (Or leave things as is, make it an API option, force Windows 10 to behave like prior OSes, et cetera) |
@ayende Do you know what scenarios will be broken if this change is made? Matching windows 10 behavior seems reasonable, given that this was added to maintain consistency with windows in the first place. Would you like to submit a PR to remove this? |
We should very careful before changing this. The default behavior in SCHANNEL for Windows Server 2012 and later was changed to not send TRUSTED_ISSUERS lists by default. This was done because frequently such lists are huge and they overflow the packet size limitations of TLS. See: |
That shouldn't break TLS and if it does something is wrong with the implementation. There are "max fragment sizes" but a message (eg handshake message) should be able to be broken into any number of these
But actually reading your link... windows seems to have a bad implementation..... that's a pain... pity there is no managed implementation and you are limited by SChannel. |
@karelz I can send the PR, yes, will be here soon |
This can be closed now that PR dotnet/corefx#25642 has been merged |
This is related to https://github.com/dotnet/corefx/issues/17226 and aspnet/KestrelHttpServer#1802
On Windows, when using
SslStream
and requiring client certificates usingAuthenticateAsServer
an empty list of trusted issuers will be sent. This can be seen when running:penssl s_client -connect 192.168.1.11:8080
The results on Windows include
On Linux, however, the server will send a list of all the trusted issuers on the system. This is actually handled by CoreFX directly, in this method:
https://github.com/dotnet/corefx/blob/0fd3d2c5bcb1a83e7ebd8025e4810e11e231ce03/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs#L323
The code there is explicitly adding the registered certificates. On some machines, this can be a VERY big list. However, the calling code has no control over that and has to accept the machine state.
This is problematic, and a solution that will allow us to control what are the trusted issuers would be much better for us.
The underlying reason is that currently a user may specify a certificate, but get an error that no such certificate was used, which is really confusing and require to dig into which is the trusted issuer, what is going on and a lot of other annoyances.
There is also now way for us to inject any behavior into the system to control it.
Another overload on
SslStream
that would allow configuring the ssl context directly before use would be much better, but anything that would allow us to avoid sending the full issuers list all the time would be sufficent.This seems to impact quite a few people and it is the cause of very hard to diagnose issues.
The text was updated successfully, but these errors were encountered: