Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Support TLS Resume with client certificates on Linux #94561

New issue
New issue
Closed
#102656
Closed
Support TLS Resume with client certificates on Linux#94561
#102656
Assignees
rzikm
Labels
area-System.Net.Securityin-prThere is an active PR which will close this issue when it is mergedtenet-performancePerformance related issue
Milestone
9.0.0
@rzikm

Description

@rzikm
rzikm
opened on Nov 9, 2023

From #94080 (comment)

[...] mTLS is one of the most common mechanisms for S2S (service to service) calls. In AAD alone, there are >300 billion mTLS calls every day. (and this is just internal traffic). Our public facing flows also have significant mTLS : https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication. Perf improvements in mTLS code paths can save millions of dollars in TLS costs.

Mutual authentication should be already fully supported on Windows, but we currently don't support it on Linux (and not at all on MacOS).

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 305 to 319 in 58e0349

if (sslAuthenticationOptions.IsClient)
{
// We don't support client resume on old OpenSSL versions.
// We don't want to try on empty TargetName since that is our key.
// And we don't want to mess up with client authentication. It may be possible
// but it seems safe to get full new session.
if (!Interop.Ssl.Capabilities.Tls13Supported ||
string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
sslAuthenticationOptions.CertificateContext != null ||
sslAuthenticationOptions.ClientCertificates?.Count > 0 ||
sslAuthenticationOptions.CertSelectionDelegate != null)
{
cacheSslContext = false;
}
}

This will need some more thinking and testing. Specifically against cases when we unintentionally restore session with wrong certificate. When we only have one identity for any given server it is pretty simple. But if we have multiple services running on different port (SslStream does not have access to EndPoint) or if we want to maintain multiple identities to same service things do get more tricky.

However, cases where only 1 client certificate is provided (whether via ClientCertificates collection, or CertificateContext, or perhaps even the certificate selection callback) may be simple and safe to implement.

Metadata

Metadata

Assignees

Labels

area-System.Net.Securityin-prThere is an active PR which will close this issue when it is mergedtenet-performancePerformance related issue

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions