Adding documentation for new CipherSuitesPolicy, SslStream.NegotiatedCipherSuite and TlsCipherSuites #2822
Conversation
…CipherSuite and TlsCipherSuite.
|
@dotnet/ncl @krwq @bartonjs |
| <remarks> | ||
| <format type="text/markdown"><![CDATA[ | ||
| > [!NOTE] | ||
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. |
| <remarks> | ||
| <format type="text/markdown"><![CDATA[ | ||
| > [!NOTE] | ||
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. |
There was a problem hiding this comment.
OS is allowed to further restrict the list so it doesn't strictly speaking prevent OS from deciding (implementation will make the last call) but if new cipher suite shows up in the updated version of the underlying implementation a user won't get it by default (which in some cases might or might not be expected).
Also OS should be replaced with underlying implementation
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. | ||
| ## Remarks | ||
| Unlike the OS underlying SSL/TLS implementation, the order of the <xref:System.Net.Security.TlsCipherSuite> elements in `allowedCipherSuites` does not determine their priority in the client-server negotiation. It is required to use OSX or Unix-based systems with OpenSSL 1.1.1 in order to initialize an instance of this class. |
There was a problem hiding this comment.
I'd drop Unlike the OS underlying SSL/TLS implementation - not sure what that part means
There was a problem hiding this comment.
does not determine their priority => does not guarantee their priority
carlossanlop
requested review from
bartonjs,
carlossanlop,
mairaw,
rpetrusha and
scalablecory
carlossanlop
added
🏁 Release: .NET Core 3.0
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. | ||
| ## Remarks | ||
| Unlike the OS underlying SSL/TLS implementation, the order of the <xref:System.Net.Security.TlsCipherSuite> elements in `allowedCipherSuites` does not determine their priority in the client-server negotiation. It is required to use OSX or Unix-based systems with OpenSSL 1.1.1 in order to initialize an instance of this class. |
There was a problem hiding this comment.
I think the "or" here is lexically ambiguous. IIRC it requires ((macOS) or (Linux with OpenSSL 1.1.1)), but it's possible to parse as ((macOS or Linux) with OpenSSL 1.1.1).
It probably needs some sort of style bubble for OS-specific requirements. Something like
[!IMPORTANT]
This feature is dependent on platform support.
* Microsoft Windows: This feature is not available.
* macOS: This feature is available.
* Linux: This feature is available on systems with OpenSSL 1.1.1 or higher.
But I'd wait for a writer before changing the format.
There was a problem hiding this comment.
I left a suggestion above. See what you think. I've changed from Unix-based to Linux since macOS it's also Unix-based.
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. | ||
| ## Remarks | ||
| Unlike the OS underlying SSL/TLS implementation, the order of the <xref:System.Net.Security.TlsCipherSuite> elements in `allowedCipherSuites` does not determine their priority in the client-server negotiation. It is required to use OSX or Unix-based systems with OpenSSL 1.1.1 in order to initialize an instance of this class. |
There was a problem hiding this comment.
Does it actually not determine the order? I thought it did on macOS and Linux (but on Windows it won't).
There was a problem hiding this comment.
on OSX I think it does, on Linux it will do some re-ordering (TLS1.3 cipher suites will go first, possibly some null ciphers will go to the back - can't remember the details) but mostly preserves the order. I'd just keep the sentence to order is not guaranteed (or we will do best effort or something along these lines)
| <summary>To be added.</summary> | ||
| <value>To be added.</value> | ||
| <remarks>To be added.</remarks> | ||
| <summary>Gets the cipher suite resolved to use by this <see cref="T:System.Net.Security.SslStream"/>.</summary> |
There was a problem hiding this comment.
This is a cipher suite which was already negotiated and is already being used. Comment could be something like:
Cipher suite picked by the server from the client supplied list of allowed cipher suites
| <format type="text/markdown"><
| @@ -5019,7 +5026,7 @@ | |||
| </ReturnValue> | |||
| <MemberValue>0</MemberValue> | |||
| <Docs> | |||
| <summary>To be added.</summary> | |||
| <summary>Represents the TLS_NULL_WITH_NULL_NULL cipher suite; this is the default value.</summary> | |||
There was a problem hiding this comment.
@krwq this might worth reviewing. In this field I am stating TLS_NULL_WITH_NULL_NULL is enum's default value; not sure if it should really be included.
There was a problem hiding this comment.
it is default when you do default(TlsCipherSuite) solely because enums always default to 0 which happens to map to this cipher suite. For the AllowedCipherSuites you will get whatever you pass in and there is only custom or OS default options
| > Defining a chipher suite policy on <xref:System.Net.Security.SslStream> authentication will prevent the OS of the ability to decide which are the best cipher suites to negotiate with and will need of your attention to manually check and update this code. It is strongly recommended to hold off the use of this property and rely on your constantly updated OS policy. | ||
| ## Remarks | ||
| Unlike the OS underlying SSL/TLS implementation, the order of the <xref:System.Net.Security.TlsCipherSuite> elements in `allowedCipherSuites` does not determine their priority in the client-server negotiation. It is required to use OSX or Unix-based systems with OpenSSL 1.1.1 in order to initialize an instance of this class. |
There was a problem hiding this comment.
I left a suggestion above. See what you think. I've changed from Unix-based to Linux since macOS it's also Unix-based.
| <format type="text/markdown"><
* Adding some changes of my own as well. Co-Authored-By: Maira Wenzel <[email protected]> Co-Authored-By: Jeremy Barton <[email protected]>
|
@mairaw @rpetrusha @bartonjs @krwq @carlossanlop |
|
@jozkee I haven't seen corefx PR updating xml doc comments |
|
@krwq I will do it soon, but that shouldn't stop this PR from merging. |
krwq
left a comment
krwq
left a comment
There was a problem hiding this comment.
LGTM content wise (please get additional sign-off for grammar from some native speaker)
mairaw
added
the
changes-addressed
|
@mairaw @rpetrusha can we get this PR merged? |
|
I'll review it quickly now. |
mairaw
removed
changes-addressed
jozkee
left a comment
jozkee
left a comment
There was a problem hiding this comment.
Addressing suggestions for AllowedCipherSuites remarks.
Co-Authored-By: Ron Petrusha <[email protected]>
|
@rpetrusha I just addressed your latest suggestions. I think this should be ready to merge once the build passes. |
mairaw
added
the
changes-addressed
|
@rpetrusha the build passed. Is this good to merge? |
carlossanlop
added
verify-build-before-merge
and removed
changes-addressed
|
Yes, this is ready to merge, @jozkee and @carlossanlop. I'll do it now. |
6 participants
This completes System.Net.Security namespace by documenting the following: