Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting of SSL_CERT_FILE in newer images causes issues with PInvoke C extensions #1973

Open
1 task done
cretz opened this issue Feb 7, 2025 · 0 comments
Open
1 task done

Setting of SSL_CERT_FILE in newer images causes issues with PInvoke C extensions #1973

cretz opened this issue Feb 7, 2025 · 0 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. potential-regression Marking this issue as a potential regression to be checked by team member

Comments

@cretz
Copy link

cretz commented Feb 7, 2025
edited
Loading

Describe the bug

As part of #1661, the AWS .NET 8 image, SSL_CERT_FILE env var is forcefully set to a no-op because it was assumed only the .NET code/runtime would use such a file. However, some .NET apps have C/Pinvoke extensions that do not expect this to be set to an empty file.

In our case (https://github.com/temporalio/sdk-dotnet), we have a Rust extension that uses https://github.com/hyperium/tonic which uses https://github.com/rustls/rustls-native-certs which uses https://github.com/alexcrichton/openssl-probe. When this was set to /tmp/noop in #1661 this didn't get used because the file didn't exist, but once it became a real file in #1663, now every Rust library using TLS this way (most I assume) does not have a CA cert bundle and therefore fails to validate server certs during TLS connections. And really any TLS library properly respecting SSL_CERT_FILE will have this problem.

Is there any way to solve whatever was trying to be solved in #1661 without setting an override variable that affects all TLS libraries?

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Expect .NET extensions to be able to communicate over TLS same as if they were running on any other normal image. And expect OpenSSL environment variable overrides to not be present so default behavior still occurs. This was the case I believe in the .NET 6 runtime.

Current Behavior

Libraries that (properly) support SSL_CERT_FILE env var overrides now fail where they used to succeed (e.g. I believe in the .NET 6 runtime).

Reproduction Steps

I admit I have not built a standalone replication though I can if I must (though it takes a while to setup an entire project with Rust PInvoke extension). Here's an admittedly unfair/obvious reproduction:

if (Environment.GetEnvironmentVariable("SSL_CERT_FILE") != null)
{
    throw new InvalidOperationException("SSL cert file default overridden implicitly");
}

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

Amazon.Lambda.Core 2.5.0 (default with code template)

Targeted .NET Platform

.NET 8

Operating System and version

AmazonLinux 2023
@cretz cretz added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 7, 2025
@github-actions github-actions bot added the potential-regression Marking this issue as a potential regression to be checked by team member label Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. potential-regression Marking this issue as a potential regression to be checked by team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cretz