Delayed client certificate

[aik-jahoda]

Ads support for retrieve client certificate on secure connection.

• Add support for linux
• No support for mac
• The Tls 1.3 PHA is not implemented in this PR
• Currently works on the OpenSSL 1.1 and not 1.0

Contributes to #49346

[ghost]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Author:	aik-jahoda
Assignees:	-
Labels:	area-System.Net.Security, new-api-needs-documentation
Milestone:	-

[wfurt]

I see lot of test failures when running locally on Windows 10 box.

[aik-jahoda]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[aik-jahoda]

/azp run runtime

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[aik-jahoda]

cc @geoffkizer

[geoffkizer]

This seems similar to the existing logic in ForceAuthenticationAsync. Can we share the logic so it isn't duplicated?

I also wonder about some cases that ForceAuthenticationAsync is handling which aren't handled here, like transferring any additional buffered read data to the _internalBuffer.

[wfurt]

I added the missing handling of _internalBuffer. I agree about the similarity but I would like to let re-factoring for and consolidation for follow up work so we can get the base functionality in.

[geoffkizer]

Feedback above

[wfurt]

contributes to #49346

I addressed all the functional feedback and this is ready for another pass @geoffkizer.
I'm proposing to hold on the refactoring/consolidation after the feature cutoff and after @aik-jahoda get back.

Currently this will work only with OpenSSL 1.1.1 and older versions have some problems.
We will probably investigate before 6.0 ships and I'm leaving #49346 open for now.

[aik-jahoda]

@wfurt thanks for hand over, the changes LGTM

[karelz]

@wfurt we should create new tracking issue/bug for lower OpenSSL versions ...

@geoffkizer will you be able to finish code review to hit the checkin date tomorrow?

[wfurt]

Core parts looks ok to.

[wfurt]

We still have #49346 open so we can use it track the progress. I think we can investigate older version little bit more and either fix it if easy, leave the issue open or create new one or throw PNSP.

[aik-jahoda]

Tested following configuration:

• .net SslStream authenticated as server - openssl 1.0.0t.
• openssl s_clients (non .net): OpenSSL 1.0.0t, OpenSSL 1.1.1k, OpenSSL 3.0.0-beta1
  The above configuration works as expected.

I think we can investigate older version little bit more and either fix it if easy, leave the issue open or create new one or throw PNSP.

SslStream authenticated as client was without change, throwing PNSE (when using openssl version smaller than 1.1.1) would

1. be breaking change
2. not nice as the exception would be triggered by server (when requesting certificate) and would depends on server. Instead client shouldn't ignore server HELLO request.