-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SslStream delayed client certificate with legacy OpenSSL #55761
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue Details#54692 added support for It would be nice to re-test with OpenSSL 3.0 to make sure we did not use anything marked as deprecated or missing in 3.0.
|
related to #49346 |
Triage: We should add the PNSE and check OpenSSL 3.0 for 6.0 release. |
Tested following configuration:
If we use SslStream client with OpenSSL 1.0.0/1.1.0, then it fails. SslStream authenticated as client is without change, throwing PNSE (when using openssl version smaller than 1.1.1) would
|
Triage: Given that we didn't throw PNSE in 5.0, but relied on server reaction to unsupported feature (e.g. refused connection, etc.), it is fine to keep it in 6.0 the same way for certain older OpenSSL versions (which are on older distros which in time will be out of support anyway). Close |
#54692 added support for
NegotiateClientCertificateAsync
on Linux. This seems to work reliably only with OpenSSL 1.1.1 (current LTS) We should investigate the failures on older OpenSSL versions (1.0.0 and 1.1.0) and possibly throw PNSP.It would be nice to re-test with OpenSSL 3.0 to make sure we did not use anything marked as deprecated or missing in 3.0.
The text was updated successfully, but these errors were encountered: