Work around Schannel TLS resume disable race on older Windows#126693
Open
rzikm wants to merge 4 commits intodotnet:mainfrom
Open
Work around Schannel TLS resume disable race on older Windows#126693rzikm wants to merge 4 commits intodotnet:mainfrom
rzikm wants to merge 4 commits intodotnet:mainfrom
Conversation
On Windows Server 2022 (build 20348) and older, ApplyControlToken with SSL_SESSION_DISABLE_RECONNECTS races with Schannel's internal session cache. ISC's LookupCacheByName finds a fresh resumable entry and embeds the session ID in the ClientHello before ApplyControlToken can expire it. Work around by following the pattern used by Schannel's own webcli.c test and http.sys: after ApplyControlToken, delete the security context and retry InitializeSecurityContext with a null context so the new ClientHello is generated without a stale session ID. The workaround is conditioned on build < 22000 (pre-Windows 11), since newer Schannel builds correctly prevent cache population when ApplyControlToken is used. Also re-enables the ClientDisableTlsResume_Succeeds test that was disabled due to this issue. Fixes dotnet#103449 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
Contributor
There was a problem hiding this comment.
Pull request overview
Works around a Schannel race on older Windows builds where disabling TLS resumption via ApplyControlToken(SSL_SESSION_DISABLE_RECONNECTS) can still result in a resumable session ID being embedded into the initial ClientHello, causing unexpected resumption.
Changes:
- Add a Windows build-gated workaround that disposes the security context after
ApplyControlTokenand retriesInitializeSecurityContextto regenerateClientHellowithout a stale session ID. - Re-enable the previously disabled
ClientDisableTlsResume_Succeedstest on Windows by removing theActiveIssueannotation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs |
Implements the context-delete + retry workaround for pre-22000 Windows builds after ApplyControlToken succeeds. |
src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamAllowTlsResumeTests.cs |
Removes the Windows ActiveIssue guard to run the TLS resume disable test again. |
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
Show resolved
Hide resolved
Move the ApplyControlToken/workaround block before the consumed/ SECBUFFER_EXTRA check so both the normal and retry paths share it. Reuse the original inputBuffers for the retry since this only runs on the very first ISC call (newContext == true) where the input is empty and the buffers are unmodified. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This was referenced Apr 9, 2026
Open
ApplyControlToken takes 'ref context' which makes the compiler lose the null-state guarantee from the outer 'context != null' check. Use context?.Dispose() to satisfy nullable analysis. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
On Windows Server 2022 (build 20348) and older,
ApplyControlToken(SSL_SESSION_DISABLE_RECONNECTS)races with Schannel's internal session cache —InitializeSecurityContext's internalLookupCacheByNamefinds a fresh resumable entry and embeds the session ID in theClientHellobeforeApplyControlTokencan expire it.Workaround
After
ApplyControlToken, delete the security context and retryInitializeSecurityContextwith a null context so the newClientHellois generated without a stale session ID. This follows the same pattern used by Schannel's ownwebcli.ctest andhttp.sys.The workaround is conditioned on
Environment.OSVersion.Version.Build < 22000(pre-Windows 11), since newer Schannel builds correctly prevent cache population whenApplyControlTokenis used.Also re-enables the
ClientDisableTlsResume_Succeedstest that was disabled due to this issue.Fixes #103449