Fix performance regression in SSL handshake (#66077)

rzikm · web-flow · commit 7698a9a80c5f · 2022-03-07T09:16:45.000+01:00
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
@@ -48,13 +48,20 @@ internal static SslPolicyErrors VerifyCertificateProperties(
             SafeFreeCertContext? remoteContext = null;
             try
             {
-                // SECPKG_ATTR_REMOTE_CERT_CHAIN can be used even before the TLS handshake completes, which is necessary
-                // in order to supply the certificate to the client cert selection callback. However, it is not available on
-                // windows 7, so use the SECPKG_ATTR_REMOTE_CERT_CONTEXT as a fallback option.
-                if (!SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext))
+                // SECPKG_ATTR_REMOTE_CERT_CONTEXT will not succeed before TLS handshake completes. Inside the handshake,
+                // we need to use (more expensive) SECPKG_ATTR_REMOTE_CERT_CHAIN. That one may be unsupported on older
+                // versions of windows. In that case, we have no option than to return null.
+                //
+                // We can use retrieveCollection to distinguish between in-handshake and after-handshake calls, because
+                // the collection is retrieved for cert validation purposes after the handshake completes.
+                if (retrieveCollection) // handshake completed
                 {
                     SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext);
                 }
+                else // in handshake
+                {
+                    SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext);
+                }
 
                 if (remoteContext != null && !remoteContext.IsInvalid)
                 {

Original file line number	Diff line number	Diff line change
`@@ -48,13 +48,20 @@ internal static SslPolicyErrors VerifyCertificateProperties(`
`48`	`48`	`SafeFreeCertContext? remoteContext = null;`
`49`	`49`	`try`
`50`	`50`	`{`
`51`		`- // SECPKG_ATTR_REMOTE_CERT_CHAIN can be used even before the TLS handshake completes, which is necessary`
`52`		`- // in order to supply the certificate to the client cert selection callback. However, it is not available on`
`53`		`- // windows 7, so use the SECPKG_ATTR_REMOTE_CERT_CONTEXT as a fallback option.`
`54`		`- if (!SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext))`
	`51`	`+ // SECPKG_ATTR_REMOTE_CERT_CONTEXT will not succeed before TLS handshake completes. Inside the handshake,`
	`52`	`+ // we need to use (more expensive) SECPKG_ATTR_REMOTE_CERT_CHAIN. That one may be unsupported on older`
	`53`	`+ // versions of windows. In that case, we have no option than to return null.`
	`54`	`+ //`
	`55`	`+ // We can use retrieveCollection to distinguish between in-handshake and after-handshake calls, because`
	`56`	`+ // the collection is retrieved for cert validation purposes after the handshake completes.`
	`57`	`+ if (retrieveCollection) // handshake completed`
`55`	`58`	`{`
`56`	`59`	`SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CONTEXT(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext);`
`57`	`60`	`}`
	`61`	`+ else // in handshake`
	`62`	`+ {`
	`63`	`+ SSPIWrapper.QueryContextAttributes_SECPKG_ATTR_REMOTE_CERT_CHAIN(GlobalSSPI.SSPISecureChannel, securityContext, out remoteContext);`
	`64`	`+ }`
`58`	`65`
`59`	`66`	`if (remoteContext != null && !remoteContext.IsInvalid)`
`60`	`67`	`{`