-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/7.0] Fix native memory leak on OCSP_Response #96578
[release/7.0] Fix native memory leak on OCSP_Response #96578
Conversation
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsBackport of #96561 to release/7.0-staging /cc @rzikm Customer ImpactTestingRiskIMPORTANT: If this backport is for a servicing release, please verify that:
|
@rzkim - Friendly reminder that Tuesday January 16th 4pm is the Code Complete deadline for the February Release. If all requirements are met, please merge your PR before that date and time to ensure this fix gets included in that Release. |
Approved by Tactics (@SteveMCarroll) on 1/15 via email - label updated to Servicing-approved. |
CI failure is unrelated (wasm) |
Backport of #96561 to release/7.0-staging.
Fixes #96616.
/cc @rzikm
Customer Impact
Regression: Yes, after upgrade to .NET 7 or .NET 8, OCSP stapling is new by-default enabled feature (introduced by #67011) which introduced also the memory leak, if the app uses the “right” APIs and server supports OCSP.
Customer impact: 5 independent reports in last 6 months. Hard to diagnose issue (took at least 1 engineering month just to root cause)
Slow native memory leak under specific feature conditions (see below) leading to increased memory footprint and later application crash. Impacts service availability.
Affected scenario is a specific subset of client authentication during TLS connection:
LocalCertificateSelectionCallback
to SslStream:HttpClientHandler
(default handler forHttpClient
)SslClientAuthenticationOptions.ClientCertificatesCollection
orSslClientAuthenticationOptions.ClientCertificateContext
)Testing
Tested on a small application which reproduced the memory leak. The leak is gone after this change.
Customer validation:
Risk
Low, one-line change.