Skip to content

Add support for processing Unified TLS frames #69848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wfurt merged 2 commits into from
Jun 8, 2022
Merged

Add support for processing Unified TLS frames #69848

wfurt merged 2 commits into from
Jun 8, 2022

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented May 26, 2022

This is mix of #68425, dotnet/yarp#1656 and reaction to #64322.

Unified parsing works only on Windows as legacy and allows (old) clients to send TLS frame encoded in Ssl2 format.
All we really need is to process first frame. Server should respond back with "normal" TLS e.g. all the framing and processing removed in #64322 is really not needed.

Since the header size is now variable, I changed TlsFrameHelper to return length of the TLS frame instead of just length of the inner payload.

Since we don't have good way how to generate real traffic, I added test that injects legacy ClientHello and verifies that we get back ServerHello instead of failure.

fixes #68310

@wfurt wfurt requested a review from a team May 26, 2022 09:58
@wfurt wfurt self-assigned this May 26, 2022
@ghost
Copy link

ghost commented May 26, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

This is mix of #68425, dotnet/yarp#1656 and reaction to #64322.

Unified parsing works only on Windows as legacy and allows (old) clients to send TLS frame encoded in Ssl2 format.
All we really need is to process first frame. Server should respond back with "normal" TLS e.g. all the framing and processing removed in #64322 is really not needed.

Since the header size is now variable, I changed TlsFrameHelper to return length of the TLS frame instead of just length of the inner payload.

Since we don't have good way how to generate real traffic, I added test that injects legacy ClientHello and verifies that we get back ServerHello instead of failure.

fixes #68310

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security
Milestone: -

@karelz karelz requested a review from rzikm June 7, 2022 16:18
@rzikm
Copy link
Member

rzikm commented Jun 8, 2022

/azp run runtime

@rzikm
Copy link
Member

rzikm commented Jun 8, 2022

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 8, 2022

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link

azure-pipelines bot commented Jun 8, 2022

Azure Pipelines successfully started running 1 pipeline(s).

rzikm
rzikm approved these changes Jun 8, 2022
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wfurt
Copy link
Member Author

wfurt commented Jun 8, 2022

test failures are unrelated to SslStream.

@wfurt wfurt merged commit eea8673 into dotnet:main Jun 8, 2022
@wfurt wfurt deleted the unified branch June 8, 2022 11:39
@ghost ghost locked as resolved and limited conversation to collaborators Jul 8, 2022
@karelz karelz added this to the 7.0.0 milestone Jul 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rzikm rzikm rzikm approved these changes

Assignees

@wfurt wfurt

Labels

area-System.Net.Security

Projects

None yet

Milestone

7.0.0

Development

Successfully merging this pull request may close these issues.

CertificateSelection callback is not called when client use Unified framing

3 participants

@wfurt @rzikm @karelz