Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ignore name mismatch when IgnoreInvalidName is set #73745

Merged
merged 8 commits into from
Aug 13, 2022
Merged

ignore name mismatch when IgnoreInvalidName is set #73745

merged 8 commits into from
Aug 13, 2022

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Aug 11, 2022

contributes to #71191, adds test for issue fixed by #72326

I bump to this when I was trying to improve test coverage and I wanted to override authentication errors using newly added policy.
The spirit of #71191 was ability to override inside SslStream validation magic to customize validation.
While the name validation is out of the Chain itself, I hook it up so X509VerificationFlags.IgnoreInvalidName flag is respected.

Aside from this, this plugs some test gaps.
GenerateCertificates did come from SslStream and Quic start using it as convenience.
I did not want to add another project reference to HTTP so I moved it to Common and updated Quic and Http to use it.
I will follow-up for SslStream but I did not want to make this change too big.

@wfurt wfurt requested a review from a team August 11, 2022 04:54
@wfurt wfurt self-assigned this Aug 11, 2022
@ghost
Copy link

ghost commented Aug 11, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

contributes to #71191, adds test for issue fixed by #72326

I bump to this when I was trying to improve test coverage and I wanted to override authentication errors using newly added policy.
The spirit of #71191 was ability to override inside SslStream validation magic to customize validation.
While the name validation is out of the Chain itself, I hook it up so X509VerificationFlags.IgnoreInvalidName flag is respected.

Aside from this, this plugs some test gaps.
GenerateCertificates did come from SslStream and Quic start using it as convenience.
I did not want to add another project reference to HTTP so I moved it to Common and updated Quic and Http to use it.
I will follow-up for SslStream but I did not want to make this change too big.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security
Milestone: -

rzikm
rzikm approved these changes Aug 11, 2022
View reviewed changes
Copy link
Member

@rzikm rzikm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some build errors but otherwise LGTM if fixed and clean CI

stephentoub
stephentoub reviewed Aug 11, 2022
View reviewed changes
src/libraries/Common/tests/System/Net/Configuration.Certificates.cs Outdated
using (X509Store store = new X509Store(storeName, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadWrite);
foreach (X509Certificate2 cert in store.Certificates)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these need to be disposed of, right? Same for the iteration below.

stephentoub
stephentoub reviewed Aug 11, 2022
View reviewed changes
src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs Outdated
@@ -3728,6 +3730,132 @@ public sealed class SocketsHttpHandler_RequestContentLengthMismatchTest_Http3 :
protected override Version UseVersion => HttpVersion.Version30;
}

public abstract class SocketsHttpHandler_SslTest : HttpClientHandlerTestBase
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: SslTest => SslOptionsTest? (If you change it, also change the derived type names)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was not sure. The intention is to test security related functions e.g. SslStream, Quic & certificate handling...

@wfurt wfurt merged commit d54486e into dotnet:main Aug 13, 2022
@wfurt wfurt deleted the IgnoreInvalidName branch August 13, 2022 19:54
@wfurt wfurt mentioned this pull request Aug 13, 2022
Closed
@karelz karelz added this to the 7.0.0 milestone Aug 15, 2022
@simonrozsival simonrozsival mentioned this pull request Aug 17, 2022
Closed
@CarnaViire CarnaViire mentioned this pull request Aug 24, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Sep 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub left review comments

@rzikm rzikm rzikm approved these changes

Assignees

@wfurt wfurt

Labels
area-System.Net.Security
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@wfurt @stephentoub @rzikm @karelz