Skip to content

Tls resume PoC (server stateless) #57079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wfurt merged 15 commits into from
Sep 3, 2021
Merged

Tls resume PoC (server stateless) #57079

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
5b5dc35
tls resume
wfurt Aug 9, 2021
6bf265c
fix alpn
wfurt Aug 9, 2021
b6b40d7
fix build with old openssl
wfurt Aug 9, 2021
9c99a25
remove handling of empty ALPN
wfurt Aug 10, 2021
30e8271
more OpenSSL1.0 fixes
wfurt Aug 10, 2021
8cb81fb
fix android
wfurt Aug 10, 2021
e6460bb
Merge branch 'main' of https://github.com/dotnet/runtime into tlsResu…
wfurt Aug 16, 2021
179edc8
feedback from review
wfurt Aug 16, 2021
55a1770
dispose innerContext if we don't cache
wfurt Aug 16, 2021
9aed0c8
disable TLS resume with CipherSuitePolicy
wfurt Aug 16, 2021
06dc955
partial feedback from review
wfurt Aug 26, 2021
fc5031e
Merge branch 'main' of https://github.com/dotnet/runtime into tlsResu…
wfurt Aug 26, 2021
3b21da7
fix build
wfurt Aug 26, 2021
df51d00
feedback from review
wfurt Aug 26, 2021
47f3742
refactor protocol selection to helper function
wfurt Aug 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
dispose innerContext if we don't cache
  • Loading branch information
@wfurt
wfurt committed Aug 16, 2021
commit 55a17700b24bbf492d7331eb02672717d9e35283
6 changes: 3 additions & 3 deletions src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,10 +306,10 @@ internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credentia
}
finally
{
if (innerContext != null && cacheSslContext)
if (innerContext != null)
{
// We allocated new context
if (sslAuthenticationOptions.CertificateContext?.SslContexts == null ||
// We allocated new context and we want to cache
if (!cacheSslContext || sslAuthenticationOptions.CertificateContext?.SslContexts == null ||
!sslAuthenticationOptions.CertificateContext.SslContexts.TryAdd(sslAuthenticationOptions.EnabledSslProtocols, innerContext))
{
innerContext.Dispose();
Copy link
Member

@bartonjs bartonjs Aug 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the event that we're not caching, what happens here? Seems like we'll have created an SSL_CTX, from that we created an SSL, then without doing anything yet we call dispose on the SSL_CTX handle, which might call SSL_shutdown.

I feel like I must be missing something.

Copy link
Member Author

@wfurt wfurt Aug 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think disposing the context would call SSL_shutdown. It does not have data to do so and it would only call Interop.Ssl.SslCtxDestroy().

We already do that 100% in existing code:

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 48 to 55 in 16de9a2

internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle? certHandle, SafeEvpPKeyHandle? certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions)
{
SafeSslHandle? context = null;
// Always use SSLv23_method, regardless of protocols. It supports negotiating to the highest
// mutually supported version and can thus handle any of the set protocols, and we then use
// SetProtocolOptions to ensure we only allow the ones requested.
using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(Ssl.SslMethods.SSLv23_method))

This logic is there to skip it if we put the context to cache.

Expand Down