You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is backport of PR #88488 and PR #79128 and parts of PR #63945.
It also brings spirit of test-only PR #68009 to get test coverage for TLS 1.3.
This only covers Windows to minimize the code delta i.e. it does not bring all the changes from PR #63945 to cover Linux & macOS.
Customer Impact
The property IsMutuallyAuthenticated on SslStream indicates if mutual TLS authentication is performed with client certificate. Current 6.0 implementation can get confused in several cases, so the value is unreliable for security audits.
Testing
This brings all the current tests from 8.0 branch.
Customer validated on private bits in production - neither functional, nor perf regression.
Risk
Medium.
While the change is quite large, it should be specific just to that property i.e. it should not impact TLS handshake or any other I/O on SslStream. Since the IsMutuallyAuthenticated is already unreliable this should bring it up to 8.0 code base to fix all known cases when it is incorrect. To reduce complexity, this fixes only Windows as macOS & Linux changes from PR #68009 had more significant impact on functionality and flow.
@wfurt please send an email to Tactics requesting approval and add the servicing-consider label. I couldn't find an email yet. We still have time to include this in the November release.
@carlossanlop we will bring it in for December. We need to prepare also 7.0 backport - fixing only 6.0 would be weird. And as you see from the delta, it is rather involved change, so I don't want to rush it.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ghost
assigned 
wfurt
changed the title
carlossanlop
added
the
NO-MERGE
karelz
added
Servicing-consider
This is backport of PR #88488 and PR #79128 and parts of PR #63945.
It also brings spirit of test-only PR #68009 to get test coverage for TLS 1.3.
This only covers Windows to minimize the code delta i.e. it does not bring all the changes from PR #63945 to cover Linux & macOS.
Customer Impact
The property
IsMutuallyAuthenticatedonSslStreamindicates if mutual TLS authentication is performed with client certificate. Current 6.0 implementation can get confused in several cases, so the value is unreliable for security audits.Testing
This brings all the current tests from 8.0 branch.
Customer validated on private bits in production - neither functional, nor perf regression.
Risk
Medium.
While the change is quite large, it should be specific just to that property i.e. it should not impact TLS handshake or any other I/O on
SslStream. Since theIsMutuallyAuthenticatedis already unreliable this should bring it up to 8.0 code base to fix all known cases when it is incorrect. To reduce complexity, this fixes only Windows as macOS & Linux changes from PR #68009 had more significant impact on functionality and flow.