Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS Resume with client certificates on Linux #94561

Closed
rzikm opened this issue Nov 9, 2023 · 2 comments · Fixed by #102656
Closed

Support TLS Resume with client certificates on Linux #94561

rzikm opened this issue Nov 9, 2023 · 2 comments · Fixed by #102656
Assignees
@rzikm
Labels
area-System.Net.Security in-pr There is an active PR which will close this issue when it is merged tenet-performance Performance related issue
Milestone
9.0.0

Comments

@rzikm
Copy link
Member

rzikm commented Nov 9, 2023
edited
Loading

From #94080 (comment)

[...] mTLS is one of the most common mechanisms for S2S (service to service) calls. In AAD alone, there are >300 billion mTLS calls every day. (and this is just internal traffic). Our public facing flows also have significant mTLS : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication. Perf improvements in mTLS code paths can save millions of dollars in TLS costs.

Mutual authentication should be already fully supported on Windows, but we currently don't support it on Linux (and not at all on MacOS).

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 305 to 319 in 58e0349

if (sslAuthenticationOptions.IsClient)
{
// We don't support client resume on old OpenSSL versions.
// We don't want to try on empty TargetName since that is our key.
// And we don't want to mess up with client authentication. It may be possible
// but it seems safe to get full new session.
if (!Interop.Ssl.Capabilities.Tls13Supported ||
string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
sslAuthenticationOptions.CertificateContext != null ||
sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
sslAuthenticationOptions.CertSelectionDelegate != null)
{
cacheSslContext = false;
}
}

This will need some more thinking and testing. Specifically against cases when we unintentionally restore session with wrong certificate. When we only have one identity for any given server it is pretty simple. But if we have multiple services running on different port (SslStream does not have access to EndPoint) or if we want to maintain multiple identities to same service things do get more tricky.

However, cases where only 1 client certificate is provided (whether via ClientCertificates collection, or CertificateContext, or perhaps even the certificate selection callback) may be simple and safe to implement.
@ghost
Copy link

ghost commented Nov 9, 2023

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

From #94080 (comment)

[...] mTLS is one of the most common mechanisms for S2S (service to service) calls. In AAD alone, there are >300 billion mTLS calls every day. (and this is just internal traffic). Our public facing flows also have significant mTLS : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication. Perf improvements in mTLS code paths can save millions of dollars in TLS costs.

Mutual authentication should be already fully supported on Windows, but we currently don't support it on Linux (and not at all on MacOS).

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 305 to 319 in 58e0349

if (sslAuthenticationOptions.IsClient)
{
// We don't support client resume on old OpenSSL versions.
// We don't want to try on empty TargetName since that is our key.
// And we don't want to mess up with client authentication. It may be possible
// but it seems safe to get full new session.
if (!Interop.Ssl.Capabilities.Tls13Supported ||
string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
sslAuthenticationOptions.CertificateContext != null ||
sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
sslAuthenticationOptions.CertSelectionDelegate != null)
{
cacheSslContext = false;
}
}

Author: rzikm
Assignees: -
Labels:

area-System.Net.Security, tenet-performance
Milestone: -

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Nov 9, 2023
@rzikm
Copy link
Member Author

rzikm commented Nov 29, 2023

Triage: not critical for 9.0, putting into Future for now.

@rzikm rzikm removed the untriaged New issue has not been triaged by the area owner label Nov 29, 2023
@rzikm rzikm added this to the Future milestone Nov 29, 2023
@rzikm rzikm mentioned this issue Dec 19, 2023
Closed
@rzikm rzikm mentioned this issue Jan 25, 2024
Merged
@rzikm rzikm self-assigned this May 23, 2024
@rzikm rzikm mentioned this issue May 24, 2024
Merged
@dotnet-policy-service dotnet-policy-service bot added the in-pr There is an active PR which will close this issue when it is merged label May 24, 2024
@karelz karelz modified the milestones: Future, 9.0.0 Jun 24, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rzikm rzikm

Labels
area-System.Net.Security in-pr There is an active PR which will close this issue when it is merged tenet-performance Performance related issue
Projects
None yet
Milestone
9.0.0
Development

Successfully merging a pull request may close this issue.

Support TLS Resume with client certificates on Linux rzikm/dotnet-runtime
2 participants
@karelz @rzikm