Skip to content

fix assert in ssl options clone #72326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 17, 2022
Merged

fix assert in ssl options clone #72326

merged 3 commits into from
Jul 17, 2022

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Jul 17, 2022

fixes #71233

The assert we are hitting was added to detect cases when we add new property but we fail to update the clone method.
(it failed that purpose and I added the new missing CertificateChainPolicy as well)
However, in this case it fails because the given SslClientAuthenticationOptions is being modified while cloned.
While the underlying issue existed for a while I think the recent failures are triggered by #70716.
Registered LocalCertificateSelectionCallback will access Handler's ClientCertificates and that will trigger

return _underlyingHandler.SslOptions.ClientCertificates ??
                (_underlyingHandler.SslOptions.ClientCertificates = new X509CertificateCollection());

The tests (like SendMoreThanStreamLimitRequestsConcurrently_LastWaits) triggering the assert use Parallel.For to blast bunch of requests, each racing the initialization in chain setup and modifying ClientCertificates from null to empty collection.

This fix is to use underlying object without attempt to initialize it and guarding against null in GetEligibleClientCertificate.

@wfurt wfurt added this to the 7.0.0 milestone Jul 17, 2022
@wfurt wfurt requested a review from a team July 17, 2022 01:32
@wfurt wfurt self-assigned this Jul 17, 2022
@ghost
Copy link

ghost commented Jul 17, 2022

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

fixes #71233

The assert we are hitting was added to detect cases when we add new property but we fail to update the clone method.
(it failed that purpose and I added the new missing CertificateChainPolicy as well)
However, in this case it fails because the given SslClientAuthenticationOptions is being modified while cloned.
While the underlying issue existed for a while I think the recent failures are triggered by #70716.
Registered LocalCertificateSelectionCallback will access Handler's ClientCertificates and that will trigger

return _underlyingHandler.SslOptions.ClientCertificates ??
                (_underlyingHandler.SslOptions.ClientCertificates = new X509CertificateCollection());

The tests (like SendMoreThanStreamLimitRequestsConcurrently_LastWaits) triggering the assert use Parallel.For to blast bunch of requests, each racing the initialization in chain setup and modifying ClientCertificates from null to empty collection.

This fix is to use underlying object without attempt to initialize it and guarding against null in GetEligibleClientCertificate.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Http
Milestone: 7.0.0

stephentoub
stephentoub reviewed Jul 17, 2022
View reviewed changes
src/libraries/Common/src/System/Net/Security/SslClientAuthenticationOptionsExtensions.cs
@@ -19,6 +19,7 @@ public static SslClientAuthenticationOptions ShallowClone(this SslClientAuthenti
AllowRenegotiation = options.AllowRenegotiation,
ApplicationProtocols = options.ApplicationProtocols != null ? new List<SslApplicationProtocol>(options.ApplicationProtocols) : null,
CertificateRevocationCheckMode = options.CertificateRevocationCheckMode,
CertificateChainPolicy = options.CertificateChainPolicy,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we missing a test that should have failed without this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, we should add test to HTTP once QUIC supports CertificateChainPolicy.

@wfurt wfurt merged commit f275edb into dotnet:main Jul 17, 2022
@wfurt wfurt mentioned this pull request Jul 26, 2022
Closed
@wfurt wfurt mentioned this pull request Aug 11, 2022
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Aug 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub approved these changes

Assignees

@wfurt wfurt

Labels
area-System.Net.Http
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

Test failure: System.Net.Http.Functional.Tests - Assertion failed: ClientCertificates. Expected enumerable cloned value.
2 participants
@wfurt @stephentoub