Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.Net Core SocketsHttpHandler with Client Certificates hangs on windows #26708

Closed
timmydo opened this issue Jul 5, 2018 · 10 comments
Closed

.Net Core SocketsHttpHandler with Client Certificates hangs on windows #26708

timmydo opened this issue Jul 5, 2018 · 10 comments

Comments

@timmydo
Copy link

timmydo commented Jul 5, 2018

We're using certs from azure key vault. I'm not sure what it does to the certs, but it seems to cause the httpclient to hang and not send the request. I created a self signed cert below and uploaded/downloaded from AKV to repro.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

</Project>
using System;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

namespace SocketsHttpHandlerTest
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                DoIt().Wait();
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }
            return;
        }

        private async static Task DoIt()
        {
            var cert = GetCert();
            var sslOptions = new SslClientAuthenticationOptions();
            var shHandler = new SocketsHttpHandler
            {
                MaxConnectionsPerServer = 100,
                AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate,
                PooledConnectionLifetime = TimeSpan.FromMinutes(1),
                ConnectTimeout = TimeSpan.FromSeconds(10),
                PooledConnectionIdleTimeout = TimeSpan.FromSeconds(10),
                ResponseDrainTimeout = TimeSpan.FromSeconds(10),
            };

            if (cert != null)
            {
                shHandler.SslOptions = new SslClientAuthenticationOptions()
                {
                    ClientCertificates = new X509CertificateCollection(),
                };

                shHandler.SslOptions.ClientCertificates.Add(cert);
                shHandler.SslOptions.LocalCertificateSelectionCallback = (object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers) => cert;
            }

            var client = new HttpClient(shHandler);
            client.Timeout = TimeSpan.FromSeconds(10);
            var request = new HttpRequestMessage(HttpMethod.Post, "https://login.live.com/pksecure/oauth20_clientcredentials.srf");
            request.Content = new StringContent("blah", System.Text.Encoding.UTF8, new MediaTypeHeaderValue("application/x-www-form-urlencoded").ToString());
            var response = await client.SendAsync(request);
            throw new Exception("code doesn't make it this far");
        }

        private static X509Certificate2 GetCert()
        {
            var fabrikam = "MIIKNgIBAzCCCfYGCSqGSIb3DQEHAaCCCecEggnjMIIJ3zCCBgAGCSqGSIb3DQEHAaCCBfEEggXtMIIF6TCCBeUGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjM+a2pAGllLwICB9AEggTYaSpqMmNTo3QDS/Rrq+RzUFJiIKOFMId/Q/SpkElK6nX5LshOJQPBwp3XppKDmXocleVp73jJl/Ov41qXeVfELPJVe+VHuL6866KdhzrXKYfuq8RuYh8f6cSC4VuytYTn76NGsvVQhVinJ4Gh0PwYhDUAqBJrZAFOYD1m+GCIUiobroM8miXgMu480wkLlwr9ecsZvQFmS+6I4/qFEAPV1dmCu2pgq+TXBbjTZZH3WLPXKeOVmCBvI+gE9rRSx2AYn/ufCsmLQ6xonVtqvE4IB/tutKltNL5MRtkqGdkcGCKUrLrleUS0OfNdU6O5sPuqOK53tFmGQupWI+r1gyU9JEGxW0cpwxCgCrwV1F9JC9aBCyyCZgaUHd/9Sz06M7+5ARjvIcFSmxQQ7nUzxJotUmUtquh3muHfRaNBZI3iwyPwzUAiFz2IpMUsR0IJmmCmO6uF4rKUTB9/+jAyiF+35SfgwnYFKilTNI7YFJ0Ky16NBeGnXJ5jqsiprIVHk+ufQkVLzC6CS1wUyRA355Tnfy13lRZuSN7uZ/94kOqLTkC7F4wIFJ1Q6j5IFb9Tk8+AZi5wyn/gj/lRhEhVTgn2YK1BLGTRs851fxSvvgfFPcbw1NNirx2Gphs+HZzE1jSEzH0TymxdBhgMdYSmiuI/AF9EgMWW7r5g1NP9PFGmbT9Nj9IgLI3X1WoOCRZYyeZb1GGC0pwt7loXxcBa6RZkYoPvBcdYY7Kyh1yVauQhb3EyHh1YMU/ESLW6hgKtU+dr2XqLzydsg/Sw6yTLDMgMtHjwbs8Ia9t644+UzK9YsgEaOLZ0usO3zOns2Mgyht33BWeODZTzWDsrJadAunzqSlMTyAIUeCsdI8F+LEK1PGOdUallSDvIJK85l0BSInvo/ZEkz2Doa7Nb+urcbQ4Wy+mqb6cAhr2LBqkrbfFv5jZ9ILDh4lPXOUWYcF8LQTBnxyxy4u0C66TUv9pWINtwW259QgPcSAVNzagZzM9GOA098jWWUhIMIAS46OxaxNQC2fzra+dgrk6/91/RuxKvNcqF6XExsuDxnDcDBGUENnpVtwZU1zuNaAUXC9hUOryPeSpyOKVQP3Y8cc3LRuQeQr3i5wHqF/yhS2s+O611FzJ5pokfZZvdSNGs51EwpO77xjJEn/uQ92MNqhTVz0pRs491Za3GzUfMPQsRNcNITgpSVaFbiptnXQdtV9BDXUxuKkjAFjdbeGmeXL2nqiZi6bIsnC/TAcNjmIKKVgB2/5WLiEUGTo9BBEyvxKHIGSyiki0okF+fh9H09olc9tkIh3LO8SeNvTcXE5/rubLqMR/m2u60+anH/lslLQVk6mpOmqwPYeg9CWx33ZjVo0cfcPzyCB/00X2EHExg/UT4BMuaMstG9UiWjswFkBX4WAOV2HHSYokDnouaiKesr4H6NAReqGre3Ux3mTJDHj7GWjTZviGGZZMRjeWt9T3zN/peZfMNWmu7mKRujIEtsoqEuSQYPrALu5wHW/Z+1A8owQ5gIWIhwoON8dTx8mvDArzIf4yYKIcmex4MoBRDLRQ579+SqXfEOkn8bB24NmodmPUBwi0OvmK8LINzFCWekYEigQkmJI76uGs4p9joS2tso6oi7eyWbZh1E46TtI11CDB7Xz2DzN666zGB0zATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAZQAtADYAOQBlAGYANgA0ADcANQAtAGUAOABlADkALQA0ADEAMwBjAC0AOAA0ADUANgAtADQAMwAxAGUAMABjADMAZABiADQANwBhMF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2AGkAZABlAHIwggPXBgkqhkiG9w0BBwagggPIMIIDxAIBADCCA70GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECBczS2R1fsdKAgIH0ICCA5CMLm2Fo4dxB6GDBi0rIsPzbKvuVa2ICAhNE+W3IzGMtFwwmKG9NY8eChj8auyYfhAGHdq2BcsZ7SANDduD6tibG3u+9yjbTmoj2Dbj3Ci+gnKkibvBiUYZrTiFrJIOxxdi2zRyneDk9lijd2LONgwtH8w/6iXUhV6UgcF37eRjPnPptZsMnzhVXh//j7oS37sOC/iDQPLf7XiuKpqpu7Binj6EaqqzDLthDCiwuGmAb1ogMs39KrZgfQLmIC0fATnOnZ5zaAU86+hJVnmfRDuRC0cXV8Yu/JXQmXnnYCOS3Apyjd9yZ1lOEeuJ4GPrbJM8/S8CqDRKd/BxnoDFSLH0tQX+UytcJ4HYvf18DG07vcwe3PBCuLuaFYNNWSweQ1WAHatAg+t33YHA3I8QVLuzFm172Uhe/AHd9aV+br3QNmKcaHYZb2EN2/IC0880usLh0OKrXMukskonl9BmI0PFT427RbK3VG/hKLVzTd7PJeUfm70FPJza8eM7AvRiwvH31NlR9CViGkQ+o9Ij/8ko7MR8+MtI3y/4HHleg1ayYsWOof6zxRzx8bd8ceYX4S+Kb7RYH8IMxcgEkd2jl8OPOQSKB4zTod7kDVxQe4/BsKGQofWiib05dQ6kCaMRyHQrfrh6QCcYTf0aWSXC+UBEqDpnoPNgJtA/Mt7asWcgfGKud+DNBO702yyw2Pm17dZAWuwuQonCwp6dJipGeXqrAqaBRzsTBJOVnDVsVMM8TzFyw/3aitBUq+3eO1BmbcsaWw4XE/jOKboJznaWj1tE4opVFu05PfGcDiKCTn3yCGjO9b3dcyHSHKM/zsx3ADxYMdHWvEJT3sktWF5x+kRpL5HX9d2pfg/gNWZg+4FCOomif+6If+NBRdMFbjZ7ozk/mZQJRx/Zzs0LNM2wp2GLxtjZTOIpa7a1fZfbT4/Cw68WXpTEZ74SbA6ok7xkA8Qs4/baxBwRZZHB011mgbJxH0QV0wFvuq3AU+8dsCOETtSt0sBeYmhRfZo5WP1tpG0IsP3qXG7mFyrh0DY6A7NwvTPAyBrD8oheABEBdAlKYZ2Qci5hovf7Hsr3XXe5++GthiR8e4ofd0MygFclM2sBsF2g7fcxl/I/oO2dwGcziCoEE5T8fBVC84RoqMweSzh/JtxmOiLuR92GmGxmwvhBcXu1HLXmSjzGCTceptWhg2vhZzCF/e3MWZtwlBlIQjcwNzAfMAcGBSsOAwIaBBTjakFm0psnqQsS91uTgNrTKkNMnQQUHKyz3QAfN6WpVoSb0ETEkAR9Vh4=";
            var certBytes = Convert.FromBase64String(fabrikam);
            return new X509Certificate2(certBytes, string.Empty, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.EphemeralKeySet);
        }
    }
}
@davidsh
Copy link
Contributor

davidsh commented Jul 5, 2018

@bartonjs I think we've seen problems before with using certificates from Azure key vault.

Also, this code will produce an X509Certificate2 object that is missing the private key. I assume the Base64 here doesn't really have the private key. So, HttpClient won't be able to use it.

private static X509Certificate2 GetCert()
{
    var fabrikam = "MIIKNgIBAzCCCfY…";
    var certBytes = Convert.FromBase64String(fabrikam);
    return new X509Certificate2(certBytes, string.Empty, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.EphemeralKeySet);
}

@bartonjs
Copy link
Member

bartonjs commented Jul 6, 2018

@davidsh I ran that snippet of code (using the real base64 value) and cert.HasPrivateKey is true. cert.GetRSAPrivateKey() returned a valid object with a KeySize value of 2048.

@davidsh
Copy link
Contributor

davidsh commented Jul 6, 2018

and cert.HasPrivateKey is true.

Ok. Thanks. I didn't expect a repro to have a real private key with it. I'm assuming it is a test certificate of some kind.

As far as why it doesn't work, I think this has something to do with X509KeyStorageFlags.EphemeralKeySet. That doesn't work right now in .NET Framework or .NET Core in terms of being able to use it for client certificates in HttpClient. I think there is some SCHANNEL limitation with that.

@timmydo Can you use X509KeyStorageFlags.DefaultKeySet instead?

@bartonjs
Copy link
Member

bartonjs commented Jul 6, 2018

SslStream + EphemeralKeySet is #23749.

@timmydo
Copy link
Author

timmydo commented Jul 6, 2018

Replacing the line with:

return new X509Certificate(certBytes, string.Empty, X509KeyStorageFlags.DefaultKeySet);

fixes it. Would be nice if the original didn't lock up though... Thanks for the help!

@davidsh
Copy link
Contributor

davidsh commented Jul 6, 2018

Based on this discussion, this issue can be closed as a duplicate of #23749.

@davidsh davidsh closed this as completed Jul 6, 2018
@stephentoub
Copy link
Member

@davidsh, that other issue appeared to manifest as exceptions. This one is manifesting as a hang, where the SendAsync doesn't complete, even after cancellation is requested and the connection is disposed. Do we understand why? Seems like there may be a secondary issue here.

@davidsh
Copy link
Contributor

davidsh commented Jul 19, 2018

It's hanging due to a different bug (not fully root caused) in SocketsHttpHandler.

Looking briefly in Visual Studio, I see an exception happening during TLS/SSL setup probably due to the use of the EmpheralKeySet:

'System.ComponentModel.Win32Exception' in System.Net.Security.dll ("No credentials are available in the security package") | System.ComponentModel.Win32Exception

Callstack:

System.Net.Security.dll!System.Net.SSPIWrapper.AcquireCredentialsHandle(System.Net.SSPIInterface secModule = {unknown}, string package = {unknown}, CredentialUse intent = {unknown}, SCHANNEL_CRED scc = {unknown})	C#
 	System.Net.Security.dll!<>c__DisplayClass23_0.AnonymousMethod()	C#
 	System.Security.Principal.Windows.dll!<>c__DisplayClass58_0`1.AnonymousMethod()	C#
 	System.Security.Principal.Windows.dll!<>c__DisplayClass62_0.AnonymousMethod(System.Object <p0> = {unknown})	C#
 	System.Private.CoreLib.dll!System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext executionContext = {unknown}, System.Threading.ContextCallback callback = {unknown}, System.Object state = {unknown})	C#
 	System.Security.Principal.Windows.dll!System.Security.Principal.WindowsIdentity.RunImpersonatedInternal(Microsoft.Win32.SafeHandles.SafeAccessTokenHandle token = {unknown}, System.Action action = {unknown})	C#
 	System.Security.Principal.Windows.dll!System.Security.Principal.WindowsIdentity.RunImpersonated(Microsoft.Win32.SafeHandles.SafeAccessTokenHandle safeAccessTokenHandle = {unknown}, System.Func func = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage = {unknown}, SCHANNEL_CRED secureCredential = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslStreamPal.AcquireCredentialsHandle(System.Security.Cryptography.X509Certificates.X509Certificate certificate = {unknown}, System.Security.Authentication.SslProtocols protocols = {unknown}, System.Net.Security.EncryptionPolicy policy = {unknown}, bool isServer = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.AcquireClientCredentials(ref byte[] thumbPrint = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.GenerateToken(byte[] input = {unknown}, int offset = {unknown}, int count = {unknown}, ref byte[] output = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.NextMessage(byte[] incoming = {unknown}, int offset = {unknown}, int count = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.StartSendBlob(byte[] incoming = {unknown}, int count = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.ProcessReceivedBlob(byte[] buffer = {unknown}, int count = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.StartReadFrame(byte[] buffer = {unknown}, int readBytes = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.PartialFrameCallback(System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.AsyncProtocolRequest.CompleteRequest(int result = {unknown})	C#
 	System.Net.Security.dll!<ReadPacketAsync>d__1.MoveNext()	C#
 	System.Private.CoreLib.dll!System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext executionContext = {unknown}, System.Threading.ContextCallback callback = {unknown}, System.Object state = {unknown})	C#
 	System.Private.CoreLib.dll!AsyncStateMachineBox`1.MoveNext()	C#
 	System.Net.Sockets.dll!AwaitableSocketAsyncEventArgs.InvokeContinuation(System.Action<System.Object> continuation = {unknown}, System.Object state = {unknown}, bool forceAsync = {unknown})	C#
 	System.Net.Sockets.dll!AwaitableSocketAsyncEventArgs.OnCompleted(System.Net.Sockets.SocketAsyncEventArgs _ = {unknown})	C#
 	System.Net.Sockets.dll!System.Net.Sockets.SocketAsyncEventArgs.FinishOperationAsyncSuccess(int bytesTransferred = {unknown}, System.Net.Sockets.SocketFlags flags = {unknown})	C#
 	System.Net.Sockets.dll!<>c.AnonymousMethod(uint errorCode = {unknown}, uint numBytes = {unknown}, System.Threading.NativeOverlapped* nativeOverlapped = {unknown})	C#

Most likely this exception is being eaten and this is why the task is hanging (doesn't terminate with error).

@davidsh davidsh reopened this Jul 19, 2018
@davidsh
Copy link
Contributor

davidsh commented Jul 19, 2018

It's hanging due to a different bug (not fully root caused) in SocketsHttpHandler.

This looks like a bug in SslStream as well. The exception I show above is caused during a Re-negotiate of the TLS connection. Basically, the initial TLS connection works because client certificates are not requested right away. Then SocketsHttpHandler thinks the TLS connection is good and starts preparing to write request headers, etc.

Afterwards the server decides to do the TLS re-negotiate and ask for client certificates. This is a common pattern that usually happens after the client makes an initial HTTP request specifying the exact path of the resource. It is at this point that the TLS stream breaks because the client certificate can't be read/sent to the server (due to the EmpheralKeySet). The first exception thrown "No credentials are available in the security package" is lost in SslStream and then the SslStream gets disposed. But all of this seems invisible to SocketsHttpHandler which isn't kept aware of the state of the connection.

The first problem that needs to be solved is to properly expose the initial exception generated by the re-negotiate of the SslStream. Then the rest of the error handling needs to be fixed as well to propagate this info to the SocketsHttpHandler (and other callers).

@davidsh
Copy link
Contributor

davidsh commented Apr 20, 2019

I am able to reproduce this hang with .NET Core 2.2.

However, in .NET Core 3.0 current master (and Preview4), the hang does not occur. I get an exception:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package

Stacktrace >System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ThrowIfExceptional() at System.Net.Security.SslStream.CheckThrow(Boolean authSuccessCheck, Boolean shutdownCheck) at System.Net.Security.SslStream.CheckOldKeyDecryptedData(Memory`1 buffer) at System.Net.Security.SslStream.HandleQueuedCallback(Object& queuedStateRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) at System.Net.Http.HttpConnection.FillAsync() at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed) at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at ssltest.Program.DoIt() in s:\dotnet\ssltest\Program.cs:line 42 --- End of inner exception stack trace --- at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at System.Threading.Tasks.Task.Wait() at ssltest.Program.Main(String[] args) in s:\dotnet\ssltest\Program.cs:line 18 ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ThrowIfExceptional() at System.Net.Security.SslStream.CheckThrow(Boolean authSuccessCheck, Boolean shutdownCheck) at System.Net.Security.SslStream.CheckOldKeyDecryptedData(Memory`1 buffer) at System.Net.Security.SslStream.HandleQueuedCallback(Object& queuedStateRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) at System.Net.Http.HttpConnection.FillAsync() at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed) at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at ssltest.Program.DoIt() in s:\dotnet\ssltest\Program.cs:line 42<---

due to #23749. I think the refactoring work for SslStream with PR dotnet/corefx#35109 fixed the hang as a side-affect.

@davidsh davidsh closed this as completed Apr 20, 2019
@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants