[release/8.0] Support specifying multiple directories through SSL_CERT_DIR. #93749
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Co-authored-by: Jeremy Barton <[email protected]> Co-authored-by: Kevin Jones <[email protected]>
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsBackport of #92920 to release/8.0 /cc @jeffhandley @tmds Customer ImpactTestingRiskIMPORTANT: If this backport is for a servicing release, please verify that:
|
|
When ready, please send an email to Tactics requesting approval. Friendly reminder that we need this merged before 4pm tomorrow Friday 20th to ensure it goes into GA. |
jeffhandley
added
Servicing-approved
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #92920 to release/8.0
Customer Impact
Customers running applications in Kubernetes on Linux can experience HTTPS certificate trust failures.
OpenSSL provides an SSL_CERT_DIR value which contains a delimiter-separated list of paths to directories containing trusted CA certificates. That value is being interpreted as a single path instead of a list of paths, which prevents certificates in those directories from being respected.
This was reported, fixed, and tested by @tmds. Support for this type of environment is being backported to RHEL .NET 8 distros that derive from CentOS Stream. Backporting this fix to .NET 8 ensures we have consistent behavior between RHEL .NET 8 and other distributions of .NET 8.
Testing
A new Linux-specific unit test was added for verifying the behavior. Manual testing verified the issue is fixed in the RHEL Kubernetes environments. Manual testing also covered NFS and SMB mount scenarios.
This same issue was encountered in Go, with a similar fix made in February 2020.
Risk
Medium, but confidence is high. Changes to these scenarios would have high impact if there is a regression, but adequate reviews and testing have been done to give us confidence in this fix.