Skip to content

[release/7.0] Fix server-side OCSP stapling on Linux #96808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 16, 2024
Merged

[release/7.0] Fix server-side OCSP stapling on Linux #96808

merged 7 commits into from
Jan 16, 2024

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Jan 10, 2024
edited by wfurt
Loading

Backport of PR #96792, PR #96448, PR #90200 and PR #96972.

Fixes #96770, #96659 and #89907

Description

Regression: No, .NET 6 didn't have OCSP staple feature.
Customer: Internal partner team - blocking migration from Windows to Linux.

OCSP (Online Certificate Status Protocol) stapling is an optimization where instead of clients individually retrieving revocation status of the server certificate, server will fetch the OCSP response itself and send it to clients during connection handshake. The authenticity of the response is assured by a digital signature.

First bug in .NET 7.0+ ... An invalid response can get cached and the server would fail to refresh it. The server would then keep sending the old, cached and potentially malformed OCSP response. This bug is triggered when either:

Second bug in .NET 7.0+ ... Validation of OCSP response always fails when the method of "delegated signing" is used (delegated signing means that the OCSP response is signed by a special certificate delegated by the server certificate issuer).

  • Note that validation when receiving OCSP response on client-side is not affected by this bug and is extensively tested, only the server part is affected by the bug.
  • Server validating the OCSP response before sending it out is only to play nice and not send invalid OCSP responses out. This bug DOES NOT create security vulnerability because clients are expected to independently validate the OCSP response themselves.
    Fixed in main by PR Add entire issuer chain to trusted X509_STORE when stapling OCSP_Response #96792

The two issues mentioned above may lead to following undesired behaviors:

  • Server caches an invalid OCSP staple (e.g. error page due to OCSP server outage), and keeps sending it out.
  • Server stops refreshing the OCSP staple and keeps sending the old one even after its validity expired.
  • Server sends out OCSP staple which it does not consider valid

Customer Impact

Android clients cannot connect to .NET 7+ servers affected by this bug because the OCSP information may get outdated (and not refreshed) and Android 9+'s application default security restrictions don't allow HTTP connections by default.

Regression

No, sending OCSP staples from .NET servers is a new feature in .NET 7.

Testing

Locally reproduced affected scenario and extensively tested manually.

Customer validated private 7.0 bits.

There is extensive existing test coverage on client-side OCSP usage/validation. Missing E2E server-side automated test coverage is planned for upcoming weeks.

Risk

Small to medium. Code touched by this PR is not used in other code paths than OCSP, so only "Sending OCSP staples from a server" scenario is affected.

@ghost ghost assigned rzikm Jan 10, 2024
@rzikm rzikm changed the base branch from main to release/7.0-staging January 10, 2024 19:59
@ghost
Copy link

ghost commented Jan 10, 2024

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

@ghost
Copy link

ghost commented Jan 10, 2024

Tagging subscribers to this area: @dotnet/area-system-reflection-metadata
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes Issue

main PR

Description

Customer Impact

Regression

Testing

Risk

Package authoring signed off?

IMPORTANT: If this change touches code that ships in a NuGet package, please make certain that you have added any necessary package authoring and gotten it explicitly reviewed.

Author: rzikm
Assignees: rzikm
Labels:

area-System.Reflection.Metadata, new-api-needs-documentation
Milestone: -

@rzikm rzikm changed the title Ocsp-verify-fix-7.0 [release/7.0] Fix server-side OCSP stapling on Linux Jan 10, 2024
@ghost
Copy link

ghost commented Jan 10, 2024

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Fixes Issue

main PR

Description

Customer Impact

Regression

Testing

Risk

Package authoring signed off?

IMPORTANT: If this change touches code that ships in a NuGet package, please make certain that you have added any necessary package authoring and gotten it explicitly reviewed.

Author: rzikm
Assignees: rzikm
Labels:

area-System.Net.Security, new-api-needs-documentation
Milestone: -

@rzikm
Copy link
Member Author

rzikm commented Jan 10, 2024

No *.ref assemblies were touched by this PR

@rzikm rzikm force-pushed the ocsp-verify-fix-7.0 branch from 578846a to abd4310 Compare January 10, 2024 21:45
This was referenced Jan 11, 2024
Closed
Closed
Closed
@karelz karelz added this to the 7.0.x milestone Jan 11, 2024
@karelz karelz added the os-linux Linux OS (any supported distro) label Jan 11, 2024
rzikm and others added 4 commits January 11, 2024 23:02
@rzikm
Recover from failed OCSP download. (dotnet#96448)
3eb695a 
* Recover from failed OCSP check.

* Add 5s back-off after failed OCSP querry
@vcsjones @rzikm
Do not OCSP staple invalid OCSP responses
947292d
@rzikm
Add entire issuer chain to trusted X509_STORE when validating OCSP_Re…
6271ab9 
…sponse

Code review feedback

More code review feedback

Update src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

Co-authored-by: Jeremy Barton <jbarton@microsoft.com>

Fix compilation

Always include root certificate
@rzikm
Fix compilation
1efdf2b
@rzikm rzikm force-pushed the ocsp-verify-fix-7.0 branch from bc58611 to 1efdf2b Compare January 11, 2024 22:02
@carlossanlop
Copy link
Contributor

There was a generalized failure in the 7.0 branch which impacted this PR. I'm updating the branch so that your PR gets rebased to the latest bits.

@build-analysis build-analysis bot mentioned this pull request Jan 13, 2024
Closed
@rzikm rzikm marked this pull request as ready for review January 15, 2024 08:26
@rzikm rzikm requested a review from bartonjs January 15, 2024 08:26
@karelz karelz added the Servicing-consider Issue for next servicing release review label Jan 15, 2024
@rzikm
Copy link
Member Author

rzikm commented Jan 15, 2024

Build analysis shows that CI failures are either known or unrelated.

@karelz karelz added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Jan 16, 2024
@karelz
Copy link
Member

karelz commented Jan 16, 2024

Approved by Tactics (@SteveMCarroll) on 1/15 via email - label updated to Servicing-approved.

@rzikm rzikm mentioned this pull request Jan 16, 2024
Merged
@carlossanlop
Copy link
Contributor

@karelz @rzikm who can provide a sign-off? Are the CI failures unrelated?

@rzikm
Copy link
Member Author

rzikm commented Jan 16, 2024

CI failures are not related to the changes.

For code review I would like to wait for @bartonjs (together with the 8.0 PR).

We are also considering adding #96972 to this, it's a oneliner which fixes a very unlikely scenario. I know this is last-minute, but this change would probably not pass servicing on its own.

@rzikm rzikm requested a review from wfurt January 16, 2024 19:25
wfurt
wfurt approved these changes Jan 16, 2024
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rzikm @wfurt
Don't shorten OCSP expriation on failed server OCSP fetch (dotnet#96972)
64c9417 
* Don't shorten OCSP expriation on failed server OCSP fetch

* Code review feedback
@rzikm rzikm merged commit 7a97ad4 into dotnet:release/7.0-staging Jan 16, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Feb 16, 2024
@karelz karelz modified the milestones: 7.0.x, 7.0.16 Jun 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@carlossanlop carlossanlop carlossanlop left review comments

@wfurt wfurt wfurt approved these changes

@bartonjs bartonjs bartonjs approved these changes

Assignees

@rzikm rzikm

Labels
area-System.Net.Security os-linux Linux OS (any supported distro) Servicing-approved Approved for servicing release
Projects
None yet
Milestone
7.0.16
Development

Successfully merging this pull request may close these issues.
6 participants
@rzikm @carlossanlop @karelz @bartonjs @wfurt @vcsjones