Skip to content

improve cert validation diagnostic on OSX#1513

Merged
wfurt merged 5 commits into
dotnet:masterfrom
wfurt:osx_ssl_diag
Jan 14, 2020
Merged

improve cert validation diagnostic on OSX#1513
wfurt merged 5 commits into
dotnet:masterfrom
wfurt:osx_ssl_diag

Conversation

@wfurt
Copy link
Copy Markdown
Member

@wfurt wfurt commented Jan 9, 2020

Right now when OS does not like remote certificate it is quite difficult to figure out why. (like #666)
This change will try to extract reason code from OS and it will emit tracing entry so it is possible to get to it easily.

COMPlus_EnableEventPipe=1
COMPlus_EventPipeConfig=Microsoft-System-Net-Security:0xFFFFFFFFFFFFFFFF:3

will produce something like

<Event MSec="747.1234" PID="66553" PName="Process(66553)" TID="12435200" EventName="ErrorMessage" ProviderName="Microsoft-System-Net-Security" thisOrContextObject="SafeDeleteSslContext#3129430" memberName="VerifyCertificateProperties" message="Cert name validation for 'github.com' failed -2147408889"/>

In this case that can be mapped to CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE for case described in #666 or to CSSMERR_APPLETP_CA_PIN_MISMATCH in #805

related to #666
related to #805
contributes to https://github.com/dotnet/corefx/issues/34905

@wfurt wfurt requested review from a team and bartonjs January 9, 2020 01:29
@wfurt wfurt self-assigned this Jan 9, 2020
bartonjs
bartonjs reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
bartonjs
bartonjs reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
bartonjs
bartonjs reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
stephentoub
stephentoub reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
stephentoub
stephentoub reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs Outdated
bartonjs
bartonjs reviewed Jan 9, 2020
View reviewed changes
Comment thread src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c Outdated
@wfurt wfurt merged commit 8cdefc1 into dotnet:master Jan 14, 2020
@wfurt wfurt deleted the osx_ssl_diag branch January 14, 2020 20:05
@karelz karelz added this to the 5.0.0 milestone Aug 18, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@stephentoub stephentoub stephentoub approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@wfurt wfurt

Labels

area-System.Net.Security os-mac-os-x macOS aka OSX

Projects

None yet

Milestone

5.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@wfurt @stephentoub @bartonjs @karelz