Server side ALPN support for SslStream on Mac #27727
Comments
|
Thanks @wfurt. Did you get chance to contact Apple and make them aware of this gap? Is there a link to the case? |
|
@wfurt ping |
|
It’s possible this is resolved in other networking APIs? https://forums.developer.apple.com/thread/116193 |
|
I could not find any reasonable documentation. From the post, I'm not sure how the negotiation would work. |
|
Did you try the C nwcat sample referenced at the bottom of that thread? You can download the sample at https://developer.apple.com/documentation/network/implementing_netcat_with_network_framework and tweak it following that post’s instructions? It’s sparsely documented, but there are C language symbols and searching for these online should reveal other samples on Github, etc. https://developer.apple.com/documentation/network/c-language_symbols To clarify, given deprecation of other networking stacks it’s extremely unlikely Apple will do anything more than bug fixes to the existing APIs other than Network.framework. I’d suggest a third-party SSL library if you can’t get Network.framework going. :) There’s a video describing the framework here: https://developer.apple.com/videos/play/wwdc2018/715/ There should also be documented C headers floating around in SDKs or you can find them copied online in places. |
|
There is new API on Mac Catalina that we should explore if it helps. |
fails on Catalina, final release 10.15 (19A583) |
|
I believe that is an explicit error designed to provide feedback about the problem. TLS + HTTP/2 + macOS = error. TLS is not being attempted. To properly test you would need to disable the check. |
|
Failure is expected at the moment, SslStream as not been updated yet to call the new macOS API. |
|
At this point it is not even clear if use of new API would be feasible. as @Tratcher mentioned, there is no change until SslStream (and this issues) is fixed. |
|
Would it be possible to use OpenSSL on MacOS instead of Network.framework? OpenSSL is already used for Linux so the implementation could be reused. Maybe offer an alternative build. |
|
We used to do that. But that brings another set of issues - like lack of OS integration for certificate management. That seems more important than server ALPN. If this is critical for somebody you can always run it in Linux container with openssl. |
|
I also ran into this issue. This means that the gRPC template/sample does not work out of the box on Mac? |
Correct, you'll get a specific exception to that effect. |
|
Are there any progress on this? |
|
not at the moment. This may get to 6.0 but it requires to re-write PAL to use new API so it is significant chunk of work. |
|
Are there are plans to investigate this in .NET 6? No TLS on macOS is a point of friction, particularly for gRPC apps. |
|
It is low on team priority @JamesNK so I would not put much hope in 6.0. The effort is significant and resources sparse. If you think this is important convince stakeholders. |
|
I did some investigation into this when doing the iOS TLS bring-up work. The current TLS implementation uses Security.framework which is deprecated. Underneath the Security.framework with public API there's a coreTLS library with private API. Both of them are open source and the Security APIs are deprecated. In theory there's some ALPN support in there, even for the server side, but in practice it's broken on the coreTLS layer. The code parsing Client Hello messages is missing ALPN code path which in turns prevents getting the peer's ALPN data. Thanks to @wfurt's earlier efforts .NET has managed TLS frame parser that could be used to retrieve the ALPN data and then select the correct protocols to send back in the Server Hello. I successfully got that part running locally. Unfortunately coreTLS is unable to send the ALPN data back either. When coreTLS encodes the Server Hello packet it checks the The newer Network.framework APIs are considerably more high level. One basically tells the framework how to stack the protocols and then make the connection. It is thus impossible to use TLS without a transport protocol such as TCP, UDP or domain sockets. There are some APIs to set the transport protocol but I was unable to make it work with any custom protocol. In fact, there's no way to create a custom protocol except for a "framer" one which is designed to frame application-level protocols and not transport level ones. Other frameworks (Python, Ruby, QT) which implement similar abstraction as It's possible to use the "framer" custom protocol to high jack the TLS traffic before it reaches the transport protocol. Thus, in theory it's possible to create a dummy transport (eg. local domain socket) and get the Network framework to do TLS handshake on top of it and intercept all the traffic. Trivial example is here. This is reasonably doable for the client-side flows. I was not able to achieve the same thing for the server-side handshake. Funnily enough, Apple are competing with themselves by maintaining the SwiftNIO framework that has its own TLS stack based on BoringSSL. 🤦🏻♂️ UPD: For completeness, Network framework also uses BoringSSL to implement the TLS layer. |
|
thanks for digging and good summary @filipnavara. The findings on Security.framework match my with my memory. |
|
Any progress on this? This issue makes development of GRPC on Mac where you need GRPC web pretty much unusable. As I've discovered in other threads, that's because browsers do not implement h2c. |
|
Not really. It is on 7.x list but as @filipnavara and other look into the integration will be probably difficult (or impossible) because of structural differences. |
|
H/3 isn’t an option for me right now. I’ll experiment with the VS code remote container stuff and see if that will suffice for now. |
|
Yeah, it looks like the dev container capabilities of VS Code will work well and do what I need for local development. Seems to work pretty well. |
|
Is there any roadmap update to when this might happen? Local dev of gRPC and MacOS is pretty sub-par with the only workaround currently to manually disable security features and to toggle this code snippet with directives. Would love to see 1st class support for this experience while programming on Mac OS |
|
Agree, we need to revisit the plan here, even if it's just for development purposes. cc @JamesNK |
|
The consensus so far is that it is not possible with available macOS API. That leaves IMHO alternative with OpenSSL backend or HTTP/3. (that gives gRPC without dependency on SslStream) |
|
Are there any disadvantages to advising macOS users to use NGINX to handle SSL and |
|
I have no idea what the workload would be like, but would this be something worth making a Microsoft specific fork of OpenSSL for so support could be added? Google forked OpenSSL for Chrome to make the kinds of changes they needed so this kind of thing would not be unique. |
HTTP/2 not HTTP/3. I'm thinking OpenSSL on MacOS supported for development scenarios only for gRPC as a way to scope the work/support. |
|
do we have any updates here? .net 7 is right around the corner and as a Mac user, I would surely love to remove the |
|
.NET 7 has changed nothing, we're making plans for .NET 8 to solve this. |
|
triage: we should investigate for 8.0 |
ghost
added
the
in-pr
ghost
removed
the
in-pr
|
I've filed dotnet/aspnetcore#45569 to track this on our side. |
|
Very cool @wfurt ! |
This is follow-up on #26534
SSL API on OSX/MacOS does not provide sufficient functionality to implement server side ALPN.
That is primarily missing code to parse client hello in SSLProcessClientHelloExtensions() and callback (or some other mechanism) for server to choose from provided list.
The text was updated successfully, but these errors were encountered: