CipherSuitePolicy implementation#36775
Conversation
8370757 to
60e1235
Compare
|
Azure Pipelines successfully started running 3 pipeline(s), but failed to run 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s), but failed to run 1 pipeline(s). |
src/System.Net.Security/src/System/Net/Security/CipherSuitesPolicy.Linux.cs
Outdated
Show resolved
Hide resolved
src/System.Net.Security/src/System/Net/Security/CipherSuitesPolicyPal.Linux.cs
Outdated
Show resolved
Hide resolved
| ret &= SSL_CTX_set_ciphersuites(ctx, cipherSuites); | ||
| } | ||
| #else | ||
| (void)cipherSuites; |
There was a problem hiding this comment.
Should this be ret &= (cipherSuites == NULL);? (aka fail if cipherSuites made it this far?)
There was a problem hiding this comment.
the code was initially written with working on lower than 1.1.1 in mind (the only issue with that is we would have to have IANA -> OpenSSL string mapping somewhere since SSL_CIPHER_find is not available), assuming we got here and TLS 1.3 is not supported then setting 1.3 cipher suites will have no effect anyway since we already would have failed when setting < 1.3 cipher suites.
| Ssl.SslCtxSetQuietShutdown(innerContext); | ||
|
|
||
| if (!Ssl.SetEncryptionPolicy(innerContext, policy)) | ||
| byte[] cipherList = |
There was a problem hiding this comment.
Should Debug.Assert that these are null terminated.
There was a problem hiding this comment.
I already do the checks inside ShouldOptOutOfTls13 and ShouldOptOutOfLowerThanTls13 but can add another one
| else | ||
| { | ||
| // iOS, tvOS, watchOS | ||
| SSLCipherSuite* cipherSuites16 = (SSLCipherSuite*)malloc(sizeof(SSLCipherSuite) * (size_t)numCipherSuites); |
There was a problem hiding this comment.
Return value of malloc should be checked against nullptr for OOM conditions. (And honestly it's best practice to use calloc instead of malloc.)
There was a problem hiding this comment.
agree on OOM, for calloc comment: we fill it out anyway instruction later so not sure why use calloc - we will double initialize
There was a problem hiding this comment.
This isn't a hot code path, so not concerned about double-initialization. In general the primary benefit of calloc is that you avoid possible integer overflow when computing the total required byte size. I can't imagine this particular call would overflow, but it's a good habit to get in to.
|
Do we need to react to this change in Kestrel? |
|
Yes, exposing this API: https://github.com/dotnet/corefx/pull/36775/files#diff-bd768ea3857573965e853e2ce2563434R134 HTTP/2 is supposed to restrict ciphers. I'll file it. dotnet/aspnetcore#9349 |
|
Was there any discussion for implementing a deny list as well? That's what HTTP/2 calls for. |
Tons of discussions with the Windows team. We spent a long time discussing this API and what is best for all the platforms (Windows, Linux, etc.). This API and PR is the result of that long effort. Feel free to watch the API review on YouTube. :) |
|
@Tratcher it would be good if we could expose this entire type (if it makes sense) so we could avoid the property by property copy when new features are added. |
|
@Tratcher for blocking "bad" cipher suites you can simply only allow TLS 1.3 which only allows 5 "safe" cipher suites or specify a list explicitly. Current implementation is ready for adding more advanced filtering in the future: https://github.com/dotnet/corefx/blob/master/src/System.Net.Security/src/System/Net/Security/TlsCipherSuiteData.Lookup.tt - technically it should be possible to expose this as an external tool which generates CipherSuitesPolicy. |
|
This broke the official build: https://dev.azure.com/dnceng/internal/_build/results?buildId=154142 cc @safern |
|
If we're blocking official builds, we should back out the change ASAP. |
|
@karelz I'll try to address this right now since we don't have good CI coverage for this case |
|
@Tratcher check out api-approved date: 4/2: https://github.com/dotnet/corefx/issues/33809#event-2247491106 ... that's the one you're looking for ;) |
* CipherSuitePolicy implementation (Linux) * SSL_CIPHER_find * do not call TLS1.3 APIs on platforms which don't support it * Non-TLS1.3 specific tests are skipped when not enough cipher suites is enabled * clean ups * attempt to fix OSX * another attempt to fix OSX * missing define * address some feedback, try to fix test failures * portable build fix * do not call old set ciphers API when only TLS 1.3 is requested * apply feedback * add OSX implementation * fixes to OSX * explicit convert * use explicit SSLCipherSuite instead of uint16_t * random change to trigger CI * s/unsafe/fixed * fixes * random change to trigger CI * client ordering does not have to win * tests: AllowedCipherSuites, new CipherSuitesPolicy(null) * run AllowedCipherSuites tests only when CSP is supported * add summary on CipherSuitesPolicy * address feedback * move OS specific files to CipherSuitesPolicyPal * FALLBACK->LIGHTUP and remove local_ * do not call 1.1.1 function on non-portable build when lower openssl version is installed * get rid of warning that arg is unused * make CipherSuitesPolicyPal public members internal Commit migrated from dotnet/corefx@07f443b
Fixes: https://github.com/dotnet/corefx/issues/24588
Fixes: https://github.com/dotnet/corefx/issues/33809
Replacing: #36648 because CI doesn't work correctly with draft PRs
cc: @karelz @joshfree