only cache credentials on success #58594
Conversation
|
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsThis is not what I expected. But I could reproduce the I have some ideas why we do not see this more: With this we would try to string the cache only on multiples of 32. With certificate, protocols and EncryptionPolicy that generally would be never on clients as there is typically no client certificate, few protocol variations and nobody sane should not use anything but So it tales some effort to even hit the reduction code - perhaps by crafting many unique certificates. While we lock on cache changes, we don't seems to when we retrieving cached value. So while the caching may be improved, I did not find anything particularly wrong. fixes #30724
|
|
I assume it fixes also #46770 -- top post edited. |
Yes, I think it should. I was not assigned to me so I miss it. |
| @@ -818,7 +818,7 @@ private SecurityStatusPal GenerateToken(ReadOnlySpan<byte> inputBuffer, ref byte | |||
| // This call may bump up the credential reference count further. | |||
| // Note that thumbPrint is retrieved from a safe cert object that was possible cloned from the user passed cert. | |||
| // | |||
| if (!cachedCreds && _securityContext != null && !_securityContext.IsInvalid && _credentialsHandle != null && !_credentialsHandle.IsInvalid) | |||
| if (!cachedCreds && status.ErrorCode == SecurityStatusPalErrorCode.OK && _securityContext != null && !_securityContext.IsInvalid && _credentialsHandle != null && !_credentialsHandle.IsInvalid) | |||
There was a problem hiding this comment.
Do we have tests that will end up with a non-OK ErrorCode?
There was a problem hiding this comment.
I will take a look. There seems to be some race condition so I see the "Close handle" only once in a while. It would be nice to have some predictability for error cases.
ghost
locked as resolved and limited conversation to collaborators
This is not what I expected. But I could reproduce the
Safe handle has been closederror with few hundred runs.With this change I did ~ 5000 runs without single failure. There may be more to it but this definitely seems to help.
I have some ideas why we do not see this more:
runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslSessionsCache.cs
Lines 196 to 209 in f3390fd
With this we would try to string the cache only on multiples of 32. With certificate, protocols and EncryptionPolicy that generally would be never on clients as there is typically no client certificate, few protocol variations and nobody sane should not use anything but
Encryptpolicy.So it tales some effort to even hit the reduction code - perhaps by crafting many unique certificates.
For future investigations, lowering
CheckExpiredModulomakes it much easier to test that code.While we lock on cache changes, we don't seems to when we retrieving cached value.
And all the entries stored in the cache are disposed.
And we seems to allocate a lot while attempting to shrink:
runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslSessionsCache.cs
Lines 224 to 225 in f3390fd
So while the caching may be improved, I did not find anything particularly wrong.
My current speculation is that the observed issue is caused by polluting cache with bad values.
With the added extra check my local runs are now happy.
Fixes #30724
Fixes #46770