[release/5.0] rebuild certificate context if we use client cert from credential cache #48042
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #47580
Customer Impact
Heavily upvoted customer report of regression in 5.0.
TLS handshake can sometimes fail when client certificates are used for authentication.
This depends on server configuration as well on internal SslStream caching.
In general, this is difficult to predict and diagnose in the field.
Cause: in 5.0 we added options to provide full certificate chain to avoid work on every connection. That also removed certificate chain building from PAL and moved it up so it is done only when needed. That logic missed one place when the chain is not rebuilt when credential cache is used for client certificate. In such case we fail to include intermediate certificates in TLS handshake and that can lead to handshake failure. It works on first attempt (covered by tests) but it may fail on subsequent attempts when cache is used. (missed by current tests)
Regression?
yes. same scenarios work with 3.1 and got broken in 5.0.
Risk
very low. This is minimal change to get on par with 3.1
Testing
We did not have any tests to cover cases when credential cache is used. This changes adds basic to cover the scenario e.g. try client auth few times while creating conditions for cache lookup.