[release/8.0] Avoid rooting X509Certificate2 in SslSessionCache #101144
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
…treamPal.Windows.cs Co-authored-by: campersau <[email protected]>
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
rzikm
changed the title
karelz
approved these changes
Apr 17, 2024
wfurt
approved these changes
Apr 17, 2024
|
Approved via email |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #101120 to release/8.0-staging
Fixes #101090
/cc @rzikm
Customer Impact
X509Certificates imported from PFX may be temporarily stored on disk. We extended their lifetime in .NET 8.0 (see details below) and they might not be deleted by the process. For short-lived processes, it may lead to disk space exhaustion.
Reported by a large service -- operating in environment with limited disk space and short-lived processes.
Technical details
PR #79898 fixed
SslStream.IsMutuallyAuthenticatedproperty for scenarios with TLS resumed sessions -- we found out that in some older windows versions we cannot reliably query whether the resumed session used a client certificate (important information for the property to be accurate). As a workaround, we added a reference to the X509Certificate instance on the record in the internal TLS session cache, which prolongs the lifetime of the X509Certificate.X509Certificates constructed by importing PFX certificate have their keys stored in a key file on disk.
Dispose()of the certificate is implemented such that the key file is cleaned up. Keeping a reference to the certificate from TLS session cache prevents this cleanup to happen (regardless whether user properly disposed of the certificate). The key file will then outlive the process it was created in. In scenarios with many short-lived processes which do mutually-authenticated HTTPS requests with such certificates will lead to accumulation of those files, potentially exhausting disk space.Since we don't use the value of the certificate in any part of the code, only the knowledge whether one was used or not, we can replace the cert reference by a simple
boolflag which does not extend the lifetime of the certificate.Regression
Yes, introduced in .NET 8 in PR #79898.
Testing
Verified on the provided isolated repro from the original issue #101090.
E2E verification done by reporting customer via provided private bits.
Risk
Low, the issue is well understood and the fix is small and contained to affected code path (using client certificates on Windows).