Skip to content

[Android] Fix Android SSL exception propagation in certificate validation #118482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kotlarmilos wants to merge 4 commits into from
Closed

[Android] Fix Android SSL exception propagation in certificate validation #118482

kotlarmilos wants to merge 4 commits into from

Conversation

@kotlarmilos
Copy link
Member

@kotlarmilos kotlarmilos commented Aug 7, 2025
edited
Loading

Summary

This fixes Android-specific SSL exception handling to explicitly propagate AuthenticationException when certificate validation fails. Additionally, in SSL handshake even when validation exceptions were detected, the SSL handshake continued instead of failing immediately.

Changes

  • Explicitly create and throw AuthenticationException when certificate validation fails
  • Ensure SSL handshake is immediately terminated upon validation failure
  • Propagate exceptions via SecurityStatusPal to prevent timeouts

Copilot AI review requested due to automatic review settings August 7, 2025 09:47
@kotlarmilos kotlarmilos marked this pull request as draft August 7, 2025 09:47
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes Android-specific SSL exception handling to ensure certificate validation exceptions are properly propagated and cause immediate handshake failure. The issue was that certificate validation failures were not being converted to AuthenticationException and SSL handshakes continued even when validation failed, leading to timeouts instead of proper error reporting.

Key changes:

  • Add explicit AuthenticationException creation when certificate validation fails
  • Implement early termination of SSL handshake when validation exceptions are detected
  • Ensure proper exception propagation through SecurityStatusPal to prevent timeouts

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
SslStreamPal.Android.cs Adds validation exception checking before and after handshake attempts with proper status code handling
SslStream.Android.cs Creates AuthenticationException when certificate validation fails and adds using directive for Authentication namespace

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Android.cs

SafeSslHandle sslHandle = sslContext!.SslContext;

Exception? validationException = sslContext?.SslStreamProxy.ValidationException;
Copy link

Copilot AI Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The validation exception is retrieved twice in the same method (lines 207 and 226). Consider storing the result in a variable that's updated only when needed to avoid redundant property access.

Copilot uses AI. Check for mistakes.
@kotlarmilos kotlarmilos added this to the 10.0.0 milestone Aug 7, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Aug 7, 2025

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@kotlarmilos
Copy link
Member Author

kotlarmilos commented Aug 7, 2025

/azp run runtime-extra-platforms

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 7, 2025

Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Aug 7, 2025
Open
Open
Closed
This was referenced Aug 7, 2025
Open
Open
@kotlarmilos kotlarmilos marked this pull request as ready for review August 8, 2025 09:39
@kotlarmilos
Copy link
Member Author

kotlarmilos commented Aug 11, 2025

This fixes the CI but is not the proper fix. Validation can return false even when there is no custom validation through ServerCertificateCustomValidationCallback.

@github-actions github-actions bot locked and limited conversation to collaborators Sep 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vitek-karas vitek-karas vitek-karas left review comments

Copilot code review Copilot Copilot left review comments

@simonrozsival simonrozsival Awaiting requested review from simonrozsival

Assignees

@kotlarmilos kotlarmilos

Labels

area-System.Net.Security os-android

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@kotlarmilos @vitek-karas