SslStream fails to authenticate in .NET 7.0 but works in .NET 6.0

[lini]

Description

I have an app targeting .NET 6.0, which uses a SslStream to establish a TLS connection to a remote server and transfer data through it. After I updated the app to .NET 7.0, the AuthenticateAsClientAsync() call started to throw an exception in some cases:

Unhandled exception. System.AggregateException: One or more errors occurred. ( Received an unexpected EOF or 0 bytes from the transport stream.)
 ---> System.IO.IOException:  Received an unexpected EOF or 0 bytes from the transport stream.
   at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)

Nothing else is changed in the app, except the TargetFramework value - with .NET 6.0 it works, with .NET 7.0 it fails.

I also tested the app on other OS and there were NO exceptions there (Windows 11 22H2, macOS Ventura, Ubuntu 22)

Reproduction Steps

Execute the following code from a console app targeting .NET 7.0 on Windows 10:

using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;


var targetHost = "lh3.googleusercontent.com";
var ip = Dns.Resolve(targetHost); // resolves to 142.250.186.129
Socket baseSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
baseSocket.Connect(new IPEndPoint(ip.AddressList[0], 443));
Stream strmNet = new NetworkStream(baseSocket, false);
var httpsStream = new SslStream(strmNet, false);
var appProtocols = new List<SslApplicationProtocol>() { SslApplicationProtocol.Http2, SslApplicationProtocol.Http11 };
var oAcceptedProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
var opt = new SslClientAuthenticationOptions()
{
    TargetHost = targetHost,
    ClientCertificates = null,
    EnabledSslProtocols = oAcceptedProtocols,
    CertificateRevocationCheckMode = X509RevocationMode.NoCheck,
    ApplicationProtocols = appProtocols
};

var ct = new CancellationToken(false);
httpsStream.AuthenticateAsClientAsync(opt, ct).Wait();
Console.WriteLine("Stream is authenticated? " + httpsStream.IsAuthenticated.ToString());

Expected behavior

AuthenticateAsClientAsync should not throw an exception when trying to authenticate.

Actual behavior

The code throws an exception:

Unhandled exception. System.AggregateException: One or more errors occurred. ( Received an unexpected EOF or 0 bytes from the transport stream.)

Regression?

Yes, the code worked fine on .NET 6.0

Known Workarounds

No workaround at the moment :(

Configuration

Failing on:
OS version: Windows 10 x64 22H2
.NET version: 7.0.201

Works on
OS version: Windows 11 x64 22H2, macOS Ventura, Ubuntu 22.04
.NET version: 6.0.100 and 7.0.201

Other information

No response

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

I have an app targeting .NET 6.0, which uses a SslStream to establish a TLS connection to a remote server and transfer data through it. After I updated the app to .NET 7.0, the AuthenticateAsClientAsync() call started to throw an exception in some cases:

Unhandled exception. System.AggregateException: One or more errors occurred. ( Received an unexpected EOF or 0 bytes from the transport stream.)
 ---> System.IO.IOException:  Received an unexpected EOF or 0 bytes from the transport stream.
   at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)
   at System.Net.Security.SslStream.ReceiveBlobAsync[TIOAdapter](CancellationToken cancellationToken)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)

Nothing else is changed in the app, except the TargetFramework value - with .NET 6.0 it works, with .NET 7.0 it fails.

I also tested the app on other OS and there were NO exceptions there (Windows 11 22H2, macOS Ventura, Ubuntu 22)

Reproduction Steps

Execute the following code from a console app targeting .NET 7.0 on Windows 10:

using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;


var targetHost = "lh3.googleusercontent.com";
var ip = Dns.Resolve(targetHost); // resolves to 142.250.186.129
Socket baseSocket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
baseSocket.Connect(new IPEndPoint(ip.AddressList[0], 443));
Stream strmNet = new NetworkStream(baseSocket, false);
var httpsStream = new SslStream(strmNet, false);
var appProtocols = new List<SslApplicationProtocol>() { SslApplicationProtocol.Http2, SslApplicationProtocol.Http11 };
var oAcceptedProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
var opt = new SslClientAuthenticationOptions()
{
    TargetHost = targetHost,
    ClientCertificates = null,
    EnabledSslProtocols = oAcceptedProtocols,
    CertificateRevocationCheckMode = X509RevocationMode.NoCheck,
    ApplicationProtocols = appProtocols
};

var ct = new CancellationToken(false);
httpsStream.AuthenticateAsClientAsync(opt, ct).Wait();
Console.WriteLine("Stream is authenticated? " + httpsStream.IsAuthenticated.ToString());

Expected behavior

AuthenticateAsClientAsync should not throw an exception when trying to authenticate.

Actual behavior

The code throws an exception:

Unhandled exception. System.AggregateException: One or more errors occurred. ( Received an unexpected EOF or 0 bytes from the transport stream.)

Regression?

Yes, the code worked fine on .NET 6.0

Known Workarounds

No workaround at the moment :(

Configuration

Failing on:
OS version: Windows 10 x64 22H2
.NET version: 7.0.201

Works on
OS version: Windows 11 x64 22H2, macOS Ventura, Ubuntu 22.04
.NET version: 6.0.100 and 7.0.201

Other information

No response

Author:	lini
Assignees:	-
Labels:	area-System.Net.Security
Milestone:	-

[rzikm]

Regression -> we should investigate in 8.0

I can reproduce this on Win 11 as well.

@wfurt any ideas what may have caused this? I checked with wireshark and there is basically no difference in client-side packets. Also, it looks like it is the client side which is closing the connection.

[rzikm]

I got it, it's regression from #64747.

What happens is that there is a tiny leftover at the very end of the SslStream._buffer, which prevents us from reading more data. I will put up a PR

[lini]

Thanks for the investigation and confirmation of the issue!
I see that the fix milestone is set to 8.0 - will it be possible to backport it in a 7.0.x release as well so we can get and test it earlier?

[rzikm]

I think it is reasonable to expect this to be backported to 7.0.x, as it is potentially breaking lots of users.

[rzikm]

Reopening for backport to 7.0