Use certificate thumbprints from entire chain in SSL_CTX cache #112858
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/azp run runtime-libraries-coreclr outerloop |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| @@ -36,33 +36,62 @@ private sealed class SafeSslContextCache : SafeHandleCache<SslContextCacheKey, S | |||
| internal readonly struct SslContextCacheKey : IEquatable<SslContextCacheKey> | |||
| { | |||
| public readonly bool IsClient; | |||
| public readonly byte[]? CertificateThumbprint; | |||
| public readonly List<byte[]> CertificateThumbprints; | |||
There was a problem hiding this comment.
The CertificateThumbprints field is declared as a public readonly List, but the list itself remains mutable. This can lead to unexpected behavior when this key is used in caching or dictionary operations, so consider exposing an immutable collection or making a defensive copy in the constructor.
Suggested change
| public readonly List<byte[]> CertificateThumbprints; | |
| public readonly ReadOnlyCollection<byte[]> CertificateThumbprints; |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
it seems like simple array would be sufficient as we know the count upfront...
|
/azp run runtime-libraries-coreclr outerloop |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Nice branch name 😅😅 |
This was referenced Feb 24, 2025
|
/ba-g No failures in System.Net.* namespace, rest of the failures should be unrelated |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #112856.
Update the SSL context cache to utilize certificate thumbprints from the entire certificate chain. This mimics what we do for MsQuic
runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicConfiguration.Cache.cs
Line 47 in aeda1de