SslStream AuthenticateAsClient method is not sending SNI information to the server on OS X

[rstam]

When using AuthenticateAsClient to connect to a server, SslStream does not appear to be sending the SNI information to the server.

We have observed this issue on OS X. When running on Windows the SNI information does appear to be sent. It is unknown to us whether the SNI information is sent when running on Linux.

[davidsh]

Not sure if this is related to #17677. SslStream has limited supported for SNI in general and does not support SNI on the server-side (AuthenticateAsServer).

[mongostephen]

Just a note, on Windows, SslStream appears to pass on SNI.

[Priya91]

The client Sslstream on Linux also sends sni headers.

[karelz]

Seems to have impact on MongoDB client driver, moving to 2.1

[Priya91]

I wrote a small app on MacOS and hit a websocket server using ManagedClientWebSocket and an https server using ManagedHttpClientHandler, both of these types uses SslStream in their implementation. I verified the ssl handshake data sent over the wire using wireshark, and verified that it in fact sends the server_name TLS extension in the ClientHello. Can you provide a small repro app for this bug, along with the ssl handshake header information?

[karelz]

Closing, feel free to reopen when there is a repro we can look at.

[ar7z1]

@karelz @Priya91 I've faced the same problem on my linux box. I use dotnet-runtime-2.0.5.

A small program to reproduce the issue:

using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;

namespace TestSNI
{
    class Program
    {
        static void Main(string[] args)
        {
            var host = "cluster0-shard-00-00-fvaks.mongodb.net";
            using (var client = new TcpClient(host, 27017))
            {
                using (var sslStream = new SslStream(client.GetStream(), false))
                {
                    sslStream.AuthenticateAsClient(host);
                }
            }
        }
    }
}

On Windows this code sends SNI extension:

But on Linux (I've tested on Ubuntu 14.04 and Ubuntu 16.04) it doesn't:

Pcaps for Windows, Ubuntu 14.04 and Ubuntu 16.04: SNI.zip.

I think that the problem is because awesome fix from @Priya91 (#25118) doesn't exist in v2.0.5: https://github.com/dotnet/corefx/blob/v2.0.5/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs#L108

[karelz]

Yes, client-side SNI was added into 2.1. Did you try to run it on 2.1? (see dogfooding)

[ar7z1]

@karelz I've checked the master nightly build, everything is perfectly working!
Is there any chance to release this feature before 2.1? Then many people will be able to use MongoDB with ssl on Linux. :-)

[karelz]

If there is strong demand to have it in 2.0.x (i.e. it is adoption blocker for a few customers), we could consider it. So far I have seen moderate demand (5-ish people asking about it / reporting it - and only this one asking for servicing fix).
Also, the 2.0 servicing fix might be available quite close to 2.1 availability, so the value of porting goes down. If it is blocking you badly, did you consider porting the fix into 2.0.x branch and creating custom build with local fix?

[ar7z1]

the 2.0 servicing fix might be available quite close to 2.1 availability

@karelz Then I'll wait till 2.1. :-)

Thank you again for awesome work!

[paulcsiki]

I'd also like a port to 2.0 as our company's policy is to wait a couple of months before adopting a new framework version into a production service. This is a showstopper for us too.