KEMBAR78
improve handling of TLS certificates on Linux by wfurt · Pull Request #74695 · dotnet/runtime · GitHub
Skip to content

improve handling of TLS certificates on Linux #74695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 6, 2022
Merged

improve handling of TLS certificates on Linux #74695

merged 10 commits into from
Sep 6, 2022

Conversation

@wfurt
Copy link
Member

@wfurt wfurt commented Aug 27, 2022

I bump to this when looking at memory use on Linux.
There re two parts:
On server the PeerCertificate would typically be null. Current marshaling would allocate SafeX509Handle in invalid state. And then we would would wrap in SafeFreeCertContext just to find out there is no certificate.

To solve that I added custom marshaling (big thanks to @jkoritzinsky for guidance)
I tried generic on but failed (#74694) so this not has marshaling just for the certificates.

On client we would typically get valid certificate.
We get the SafeX509Handle, then we wrap it in SafeFreeCertContext just to call DangerousGetHandle().
I'm wondering if we even need SafeHandle here but using two seems obsessive. For now, I use SafeX509Handle in pattern similar as before with SafeFreeCertContext gone.

I would be curious if there is better way @bartonjs.

@wfurt wfurt added area-System.Net.Security os-linux Linux OS (any supported distro) labels Aug 27, 2022
@wfurt wfurt self-assigned this Aug 27, 2022
@ghost
Copy link

ghost commented Aug 27, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

I bump to this when looking at memory use on Linux.
There re two parts:
On server the PeerCertificate would typically be null. Current marshaling would allocate SafeX509Handle in invalid state. And then we would would wrap in SafeFreeCertContext just to find out there is no certificate.

To solve that I added custom marshaling (big thanks to @jkoritzinsky for guidance)
I tried generic on but failed (#74694) so this not has marshaling just for the certificates.

On client we would typically get valid certificate.
We get the SafeX509Handle, then we wrap it in SafeFreeCertContext just to call DangerousGetHandle().
I'm wondering if we even need SafeHandle here but using two seems obsessive. For now, I use SafeX509Handle in pattern similar as before with SafeFreeCertContext gone.

I would be curious if there is better way @bartonjs.

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security, os-linux
Milestone: -

stephentoub
stephentoub approved these changes Sep 6, 2022
View reviewed changes
Copy link
Member

@stephentoub stephentoub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@wfurt wfurt changed the title improve hanling of TLS certificates on Linux improve handling of TLS certificates on Linux Sep 6, 2022
@wfurt wfurt merged commit 029bc7f into dotnet:main Sep 6, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Oct 6, 2022
@karelz karelz added this to the 8.0.0 milestone Mar 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jkoritzinsky jkoritzinsky jkoritzinsky left review comments

@jkotas jkotas jkotas left review comments

@stephentoub stephentoub stephentoub approved these changes

@bartonjs bartonjs bartonjs approved these changes

@rzikm rzikm Awaiting requested review from rzikm

Assignees

@wfurt wfurt

Labels

area-System.Net.Security os-linux Linux OS (any supported distro)

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

6 participants

@wfurt @jkoritzinsky @stephentoub @jkotas @bartonjs @karelz