improve handling of handshake failure

src/libraries/System.Net.Security/src/Resources/Strings.resx

@@ -212,6 +212,9 @@
   <data name="net_auth_eof" xml:space="preserve">
     <value>Authentication failed because the remote party has closed the transport stream.</value>
   </data>
+  <data name="net_auth_tls_alert" xml:space="preserve">
+    <value>Authentication failed because the remote party has sent TLS alert {0}.</value>
+  </data>
   <data name="net_auth_alert" xml:space="preserve">
     <value>Authentication failed on the remote side (the stream might still be available for additional authentication attempts).</value>
   </data>

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -34,6 +34,7 @@
     <Compile Include="System\Net\Security\StreamSizes.cs" />
     <Compile Include="System\Net\Security\TlsAlertType.cs" />
     <Compile Include="System\Net\Security\TlsAlertMessage.cs" />
+    <Compile Include="System\Net\Security\TlsFrameHelper.cs" />
     <Compile Include="System\Security\Authentication\AuthenticationException.cs" />
     <!-- NegotiateStream -->
     <Compile Include="System\Net\BufferAsyncResult.cs" />

src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs

@@ -625,7 +625,7 @@ private bool AcquireClientCredentials(ref byte[]? thumbPrint)
         //
         // Acquire Server Side Certificate information and set it on the class.
         //
-        private bool AcquireServerCredentials(ref byte[]? thumbPrint, ReadOnlySpan<byte> clientHello)
+        private bool AcquireServerCredentials(ref byte[]? thumbPrint)
         {
             if (NetEventSource.IsEnabled)
                 NetEventSource.Enter(this);
@@ -639,13 +639,13 @@ private bool AcquireServerCredentials(ref byte[]? thumbPrint, ReadOnlySpan<byte>
             // with .NET Framework), and if neither is set we fall back to using ServerCertificate.
             if (_sslAuthenticationOptions.ServerCertSelectionDelegate != null)
             {
-                string? serverIdentity = SniHelper.GetServerName(clientHello);
-                localCertificate = _sslAuthenticationOptions.ServerCertSelectionDelegate(serverIdentity);
-
+                localCertificate = _sslAuthenticationOptions.ServerCertSelectionDelegate(_sslAuthenticationOptions.TargetHost);
                 if (localCertificate == null)
                 {
                     throw new AuthenticationException(SR.net_ssl_io_no_server_cert);
                 }
+                if (NetEventSource.IsEnabled)
+                    NetEventSource.Info(this, "Use delegate selected Cert");
             }
             else if (_sslAuthenticationOptions.CertSelectionDelegate != null)
             {
@@ -784,7 +784,7 @@ private SecurityStatusPal GenerateToken(ReadOnlySpan<byte> inputBuffer, ref byte
                     if (_refreshCredentialNeeded)
                     {
                         cachedCreds = _sslAuthenticationOptions.IsServer
-                                        ? AcquireServerCredentials(ref thumbPrint, inputBuffer)
+                                        ? AcquireServerCredentials(ref thumbPrint)
                                         : AcquireClientCredentials(ref thumbPrint);
                     }
 

src/libraries/System.Net.Security/src/System/Net/Security/SniHelper.cs

@@ -26,13 +26,13 @@ internal class SniHelper
             //     opaque fragment[SSLPlaintext.length];
             // } SSLPlaintext;
             const int ContentTypeOffset = 0;
-            const int ProtocolVersionOffset = ContentTypeOffset + sizeof(ContentType);
+            const int ProtocolVersionOffset = ContentTypeOffset + sizeof(TlsContentType);
             const int LengthOffset = ProtocolVersionOffset + ProtocolVersionSize;
             const int HandshakeOffset = LengthOffset + sizeof(ushort);
 
             // SSL v2's ContentType has 0x80 bit set.
             // We do not care about SSL v2 here because it does not support client hello extensions
-            if (sslPlainText.Length < HandshakeOffset || (ContentType)sslPlainText[ContentTypeOffset] != ContentType.Handshake)
+            if (sslPlainText.Length < HandshakeOffset || (TlsContentType)sslPlainText[ContentTypeOffset] != TlsContentType.Handshake)
             {
                 return null;
             }
@@ -62,10 +62,10 @@ internal class SniHelper
             //     } body;
             // } Handshake;
             const int HandshakeTypeOffset = 0;
-            const int ClientHelloLengthOffset = HandshakeTypeOffset + sizeof(HandshakeType);
+            const int ClientHelloLengthOffset = HandshakeTypeOffset + sizeof(TlsHandshakeType);
             const int ClientHelloOffset = ClientHelloLengthOffset + UInt24Size;
 
-            if (sslHandshake.Length < ClientHelloOffset || (HandshakeType)sslHandshake[HandshakeTypeOffset] != HandshakeType.ClientHello)
+            if (sslHandshake.Length < ClientHelloOffset || (TlsHandshakeType)sslHandshake[HandshakeTypeOffset] != TlsHandshakeType.ClientHello)
             {
                 return null;
             }
@@ -363,16 +363,6 @@ private static Encoding CreateEncoding()
             return Encoding.GetEncoding("utf-8", new EncoderExceptionFallback(), new DecoderExceptionFallback());
         }
 
-        private enum ContentType : byte
-        {
-            Handshake = 0x16
-        }
-
-        private enum HandshakeType : byte
-        {
-            ClientHello = 0x01
-        }
-
         private enum ExtensionType : ushort
         {
             ServerName = 0x00