-
Notifications
You must be signed in to change notification settings - Fork 5k
[release/3.1] Client certificate authentication on HTTP/2 in WinHttpHandler #42888
[release/3.1] Client certificate authentication on HTTP/2 in WinHttpHandler #42888
Conversation
@danmosemsft |
If this only affects .NET Framework, is there a way to have zero code churn for .NET Core? |
It affects .Net Core as well because WinHttpHandler implementation is the same for both of the platforms. That also means it will work the same way on .Net Core. |
Yes, I'm comfortable with LOW risk assessment.
Yes, 2 large customers need .NET Framework HTTP/2 support with TLS client certificates as their endpoints (third-party servers) are removing HTTP/1.1 support and forcing HTTP/2 with TLS client certs for authentication. |
Sounds good. I"ll take it to tactics. thanks |
@alnikola could you share why you didn't port the tests from master? (missing dependencies in our test infrastructure?). normally shipping a fix in servicing that we can only test manually is not as ideal as having a test. when you say tested manually, do you mean you wrote code to use it, or walked through in the debugger, or found some way to run the unit tests locally? there is particular interest in reducing churn in this branch going forward - so if there's any reasonable step we can take to increase confidence even further that this doesn't break anything, it would be worth taking. if you've already done all the reasonable things, then we're good. |
setting no-merge for a few days while we complete the validation discussion.. |
@danmosemsft I didn't port tests from master to 3.1 because our Common test infastructure changed significantly since 3.1 release and now I cannot easily port any changes I made to WinHttpHandler tests including new tests for this feature (client cert authentication on HTTP/2). To do it would require a huge extra effort. Manual testing consists of 2 steps:
|
@alnikola ping on this one, anything from customer? |
@danmosemsft we are pinging them, but no response / ETA yet :( |
OK. If we don't get an ack in a few days, you/we will have to make a call on whether to slip this one to the next month. |
Yep, I view it that the end-to-end validation is blocking this servicing request. So, we will keep slipping, until we have it. |
We just got confirmation from the partner team -- they validated the end-to-end scenario works on their side with our private build. |
As far as I know it's open -- @Anipik ? |
I am affected by this issue. Understand that this will ship with .NET Core 3.1.5? |
This is fix in WinHttpHandler package, shipped with .NET Core 3.1.5 update - that translates to version 4.7.2 of this package I believe. It contains also .NET Framework targeting bits, so you should be covered. |
Thanks @karelz if you can find out the version it would be very interesting to know so I can investigate when it may be released. |
[UPDATED to avoid confusion -- thanks @alnikola for correcting me!] Here's the OS version: Version 2004, build 19573+ |
To clarify this feature is supported Windows 10 Version 2004 build 19573 or newer. |
What about server OS versions? Are they affected too, or is it only Windows 10? And if they are affected, what versions are affected? |
@rjalbert Windows Server 2016 and 2019 share the versions and the update schedule with the desktop Windows 10. All you need is to make sure that |
Any chance this functionality will be available on Windows Server 2012 R2? |
@GordonEilen you will need to talk to OS servicing directly (I assume via your MS support contract). |
@karelz Thanks! |
This is port of dotnet/runtime#33158.
Description
Pre-release WinHTTP's version supports client certificate-based authentication over HTTP/2, but the feature must be explicitly opted-in. PR sets WINHTTP_OPTION_ENABLE_HTTP2_PLUS_CLIENT_CERT to TRUE before invoking WinHttpConnect if the request's protocol is HTTP/2 and scheme is HTTPS.
Customer impact
Without this change, it's not possible to use client certificate-based authentication on HTTP/2 in .Net Framework 4.7.2 and 4.8.
Regression?
No
Packaging review
Change affects System.Net.Http.WinHttpHandler.dll which is distributed in System.Net.Http.WinHttpHandler package.
Risk
Low, covered by functional tests in master branch, but only manually tested for 3.1