From fedb9077c3167af29a0c540009de73afdabec1ad Mon Sep 17 00:00:00 2001 From: Jeremy Barton Date: Tue, 9 Aug 2022 09:06:22 -0700 Subject: [PATCH] Use SSL_ctrl instead of SSL_CTX_ctrl to enable client OCSP stapling This is required on OpenSSL 1.0.x, which is still in use on RHEL7 and CentOS7 --- .../CertificateValidationRemoteServer.cs | 5 ----- .../pal_ssl.c | 19 ++++++++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs index 04584167acbad3..3e88c049175462 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs @@ -108,11 +108,6 @@ public Task ConnectWithRevocation_WithCallback(bool checkRevocation) [InlineData(true)] public Task ConnectWithRevocation_StapledOcsp(bool offlineContext) { - if (PlatformDetection.IsRedHatFamily7 && !offlineContext) - { - throw new SkipTestException("Active test issue https://github.com/dotnet/runtime/issues/71037"); - } - // Offline will only work if // a) the revocation has been checked recently enough that it is cached, or // b) the server stapled the response diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c index acfd66db973010..57f1b368b62abf 100644 --- a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c +++ b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c @@ -237,12 +237,6 @@ SSL_CTX* CryptoNative_SslCtxCreate(const SSL_METHOD* method) return NULL; } } - - // Opportunistically request the server present a stapled OCSP response. - if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE, TLSEXT_STATUSTYPE_ocsp, NULL) != 1) - { - ERR_clear_error(); - } } return ctx; @@ -365,7 +359,18 @@ void CryptoNative_SslCtxSetProtocolOptions(SSL_CTX* ctx, SslProtocols protocols) SSL* CryptoNative_SslCreate(SSL_CTX* ctx) { ERR_clear_error(); - return SSL_new(ctx); + SSL* ret = SSL_new(ctx); + + if (ret != NULL) + { + // Opportunistically request the server present a stapled OCSP response. + if (SSL_ctrl(ret, SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE, TLSEXT_STATUSTYPE_ocsp, NULL) != 1) + { + ERR_clear_error(); + } + } + + return ret; } int32_t CryptoNative_SslGetError(SSL* ssl, int32_t ret)