Skip to content

Fix connecting with VerifyCA and VerifyFull #5944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Nov 20, 2024
Merged

Fix connecting with VerifyCA and VerifyFull #5944

merged 10 commits into from
Nov 20, 2024

Conversation

vonzshik
Copy link
Contributor

Fixes #5942

@vonzshik vonzshik requested a review from roji as a code owner November 20, 2024 05:23
@vonzshik vonzshik changed the title 5942 ssl verify revocation check fix Fix connecting with VerifyCA and VerifyFull Nov 20, 2024
@vonzshik vonzshik merged commit 2b013ed into main Nov 20, 2024
14 checks passed
@vonzshik vonzshik deleted the 5942-ssl-verify-revocation-check-fix branch November 20, 2024 17:29
vonzshik added a commit that referenced this pull request Nov 20, 2024
@vonzshik
Fix connecting with VerifyCA and VerifyFull (#5944)
47ee78b 
Fixes #5942

(cherry picked from commit 2b013ed)
@vonzshik
Copy link
Contributor Author

Backported to 9.0.2 via 47ee78b

bartonjs
bartonjs reviewed Nov 21, 2024
View reviewed changes
src/Npgsql/Internal/NpgsqlConnector.cs
@@ -932,7 +932,7 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
TargetHost = host,
ClientCertificates = clientCertificates,
EnabledSslProtocols = SslProtocols.None,
CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.Offline,
CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just in case this was a "we changed this line of code, but don't know why it solved the problem":

RevocationMode.Online is basically bool? revoked = CheckCachedRevocation() ?? DownloadAndCacheRevocation(); where the null state is "OfflineRevocation | RevocationUnknown")

RevocationMode.Offline is just CheckCachedRevocation().

So Offline only works if anyone ever did Online (or somehow seeded the cache via different means). It's... basically... never the right answer.

Since Online checks the cache first, it's more "Online possible", vs "live". If you're talking to the same host repeatedly, it's functionally the same as Offline, but without the errors.

Copy link
Contributor Author

@vonzshik vonzshik Nov 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mostly confused as to why I used X509RevocationMode.Offline in the first place. Just looking at the previous implementation, we passed false to check for certificate revocation to SslStream, and in turn that passes X509RevocationMode.NoCheck, so I should have done the exact same thing...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roji roji roji approved these changes

+1 more reviewer

@bartonjs bartonjs bartonjs left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSL Mode=VerifyFull fails since 9.0.1
3 participants
@vonzshik @roji @bartonjs