Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Support TLS Resume with client certificates on Linux#102656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

@rzikm
Copy link
Member

@rzikmrzikm commentedMay 24, 2024
edited
Loading

Closes#94561.

This PR enables TLS resume on Linux if client certificate is provided. The feature is triggered if local certificate selection routine manages to select a certificate, i.e. either of these situations:

  • ClientCertificateContext
  • LocalCertificateSelectionCallback returns non-null certificate on first call (otherwise selection based on server cert/acceptable issuers is assumed and fresh SSL_CTX is always used)
  • ClientCertificates collection has at least one certificate (and first one with private key is used)

The feature is enabled by caching SSL_CTX as before, certificate thumbprint has been added to the cache key to mirror what we do on Windows. The caching code has been reused from MsQuicConfiguration cache (and in further PR can be unified with the caching code we have for SslStream credentials on Windows).

I stressed the caching code under a dedicated program, there does not seem to be any leakage.

@rzikm
Copy link
MemberAuthor

rzikm commentedMay 24, 2024
edited
Loading

Looks like TLS 1.3 works as well. (Windows server, Linux client, client cert required)

image

MaxXor reacted with thumbs up emoji

@rzikmrzikm requested a review fromwfurtMay 24, 2024 13:14
@wfurt
Copy link
Member

I need to do a bit more testing (can't test TLS 1.3 resumption against .NET Linux server yet, as we support only stateful resumption yet).

I don't quite understand the comment. I thought we only support stateless e.g. tickets to avoid large server cache. But I would also think that it does not matter e.g. the resumption is possible in either way.

@rzikm
Copy link
MemberAuthor

rzikm commentedMay 30, 2024
edited
Loading

I need to do a bit more testing (can't test TLS 1.3 resumption against .NET Linux server yet, as we support only stateful resumption yet).

I don't quite understand the comment. I thought we only support stateless e.g. tickets to avoid large server cache. But I would also think that it does not matter e.g. the resumption is possible in either way.

I meant that Linux .NET server does not issue resumption tokens in TLS 1.3, so I had to test against different server (Windows in this case).

Edit: my bad, it turns out that the resumption ticket was not transmitted because we close the connection without actually transmitting any user data, adding a ping-pong to the tests fixed the problem.

wfurt reacted with thumbs up emoji

@rzikm
Copy link
MemberAuthor

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
MemberAuthor

/azp run runtime-libraries coreclr-outerloop

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@rzikm
Copy link
MemberAuthor

/azp list

@azure-pipelines
Copy link

CI/CD Pipelines for this repository:

@rzikm
Copy link
MemberAuthor

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
MemberAuthor

/azp run runtime-extra-platforms

@rzikm
Copy link
MemberAuthor

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm
Copy link
MemberAuthor

/ba-g Test failures are all unrelated, relevant stages (System.Net.Security.Tests) all pass

@LoopedBard3
Copy link
Member

LoopedBard3 commentedJun 18, 2024
edited
Loading

Related regression:dotnet/perf-autofiling-issues#36400 (Only the SSLStreamTests)

Linux Arm64:dotnet/perf-autofiling-issues#36652

rzikm reacted with eyes emoji

@rzikm
Copy link
MemberAuthor

rzikm commentedJun 19, 2024
edited
Loading

I realize I did not post any measurements here, so here we are:

// * Summary *BenchmarkDotNet v0.13.13-nightly.20240311.145, Ubuntu 22.04.4 LTS (Jammy Jellyfish)Intel Core i9-10900K CPU 3.70GHz, 1 CPU, 20 logical and 10 physical cores.NET SDK 9.0.100-preview.5.24307.3  [Host]     : .NET 9.0.0 (9.0.24.30607), X64 RyuJIT AVX2  Job-DZDDGH : .NET 9.0.0 (42.42.42.42424), X64 RyuJIT AVX2  Job-HPXMZE : .NET 9.0.0 (42.42.42.42424), X64 RyuJIT AVX2PowerPlanMode=00000000-0000-0000-0000-000000000000  IterationTime=250ms  MaxIterationCount=20MinIterationCount=15  WarmupCount=1| Method                                 | Job        | Toolchain      | Mean      | Error     | StdDev    | Median    | Min        | Max       | Ratio | RatioSD | Allocated | Alloc Ratio ||--------------------------------------- |----------- |--------------- |----------:|----------:|----------:|----------:|-----------:|----------:|------:|--------:|----------:|------------:|| DefaultHandshakeContextIPv4Async       | Job-DZDDGH | /9.0.0/corerun |  1.017 ms | 0.0275 ms | 0.0294 ms |  1.008 ms |  0.9759 ms |  1.082 ms |  1.00 |    0.04 |   5.96 KB |        1.00 || DefaultHandshakeContextIPv4Async       | Job-HPXMZE | /main/corerun  |  1.054 ms | 0.0207 ms | 0.0213 ms |  1.053 ms |  1.0240 ms |  1.109 ms |  1.04 |    0.03 |   5.96 KB |        1.00 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultHandshakeContextIPv6Async       | Job-DZDDGH | /9.0.0/corerun |  1.046 ms | 0.0328 ms | 0.0350 ms |  1.039 ms |  0.9988 ms |  1.130 ms |  1.00 |    0.05 |   5.96 KB |        1.00 || DefaultHandshakeContextIPv6Async       | Job-HPXMZE | /main/corerun  |  1.045 ms | 0.0202 ms | 0.0168 ms |  1.050 ms |  1.0154 ms |  1.074 ms |  1.00 |    0.04 |   5.96 KB |        1.00 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultMutualHandshakeContextIPv4Async | Job-DZDDGH | /9.0.0/corerun |  1.394 ms | 0.0269 ms | 0.0225 ms |  1.395 ms |  1.3559 ms |  1.441 ms |  1.00 |    0.02 |  10.73 KB |        1.00 || DefaultMutualHandshakeContextIPv4Async | Job-HPXMZE | /main/corerun  |  4.792 ms | 0.2019 ms | 0.2244 ms |  4.754 ms |  4.4838 ms |  5.289 ms |  3.44 |    0.17 |   6.27 KB |        0.58 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultMutualHandshakeContextIPv6Async | Job-DZDDGH | /9.0.0/corerun |  1.398 ms | 0.0273 ms | 0.0256 ms |  1.394 ms |  1.3611 ms |  1.445 ms |  1.00 |    0.02 |  10.73 KB |        1.00 || DefaultMutualHandshakeContextIPv6Async | Job-HPXMZE | /main/corerun  |  4.716 ms | 0.0982 ms | 0.1091 ms |  4.686 ms |  4.5305 ms |  4.914 ms |  3.37 |    0.10 |   6.26 KB |        0.58 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultHandshakeIPv4Async              | Job-DZDDGH | /9.0.0/corerun |  5.715 ms | 0.0660 ms | 0.0551 ms |  5.705 ms |  5.6337 ms |  5.832 ms |  1.00 |    0.01 |   9.66 KB |        1.00 || DefaultHandshakeIPv4Async              | Job-HPXMZE | /main/corerun  |  5.949 ms | 0.1222 ms | 0.1358 ms |  5.960 ms |  5.7571 ms |  6.177 ms |  1.04 |    0.03 |   9.67 KB |        1.00 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultHandshakeIPv6Async              | Job-DZDDGH | /9.0.0/corerun |  5.904 ms | 0.1713 ms | 0.1904 ms |  5.835 ms |  5.6978 ms |  6.335 ms |  1.00 |    0.04 |   9.68 KB |        1.00 || DefaultHandshakeIPv6Async              | Job-HPXMZE | /main/corerun  |  5.862 ms | 0.1116 ms | 0.0932 ms |  5.828 ms |  5.7339 ms |  6.003 ms |  0.99 |    0.03 |   9.66 KB |        1.00 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultMutualHandshakeIPv4Async        | Job-DZDDGH | /9.0.0/corerun | 10.854 ms | 0.2105 ms | 0.1969 ms | 10.804 ms | 10.5719 ms | 11.251 ms |  1.00 |    0.02 |  17.34 KB |        1.00 || DefaultMutualHandshakeIPv4Async        | Job-HPXMZE | /main/corerun  | 11.575 ms | 0.2257 ms | 0.2001 ms | 11.556 ms | 11.2971 ms | 11.996 ms |  1.07 |    0.03 |  17.18 KB |        0.99 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultMutualHandshakeIPv6Async        | Job-DZDDGH | /9.0.0/corerun | 10.850 ms | 0.2151 ms | 0.2012 ms | 10.801 ms | 10.5470 ms | 11.177 ms |  1.00 |    0.03 |  17.36 KB |        1.00 || DefaultMutualHandshakeIPv6Async        | Job-HPXMZE | /main/corerun  | 11.306 ms | 0.2226 ms | 0.2475 ms | 11.337 ms | 10.8917 ms | 11.872 ms |  1.04 |    0.03 |  15.91 KB |        0.92 ||                                        |            |                |           |           |           |           |            |           |       |         |           |             || DefaultHandshakePipeAsync              | Job-DZDDGH | /9.0.0/corerun |  5.901 ms | 0.1145 ms | 0.1125 ms |  5.894 ms |  5.7267 ms |  6.163 ms |  1.00 |    0.03 |   9.96 KB |        1.00 || DefaultHandshakePipeAsync              | Job-HPXMZE | /main/corerun  |  6.032 ms | 0.1747 ms | 0.2012 ms |  6.001 ms |  5.7647 ms |  6.430 ms |  1.02 |    0.04 |   9.98 KB |        1.00 |

Themain brach is main excluding this change, 9.0.0 includes this PR and#103720. Notice mainly theContext benchmarks, and the (new,PR to be raised soon) DefaultMutualHandshakeContext* benchmarks, where the new TLS resume shines. The amount of allocations is a bit weird, I might look into these later when I have time.

@rzikm
Copy link
MemberAuthor

cc@stephentoub,@ManickaP, since this might look well in your future blog posts

@stephentoub
Copy link
Member

already on my list :)

rzikm reacted with heart emoji

@karelzkarelz added this to the9.0.0 milestoneJun 24, 2024
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJul 25, 2024
@bartonjsbartonjs added the cryptographic-docs-impactIssues impacting cryptographic docs. Cleared and reused after documentation is updated each release. labelAug 15, 2024
@bartonjsbartonjs added the trackingThis issue is tracking the completion of other related issues. labelSep 10, 2024
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@vcsjonesvcsjonesvcsjones left review comments

@bartonjsbartonjsbartonjs left review comments

@wfurtwfurtwfurt approved these changes

Assignees

@rzikmrzikm

Labels

area-System.Net.Securitycryptographic-docs-impactIssues impacting cryptographic docs. Cleared and reused after documentation is updated each release.trackingThis issue is tracking the completion of other related issues.

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

Support TLS Resume with client certificates on Linux

7 participants

@rzikm@wfurt@LoopedBard3@stephentoub@vcsjones@bartonjs@karelz
[8]ページ先頭
©2009-2025 Movatter.jp