SslStream's handshake broken with Win10(17711 Insider)?

[yyjdelete]

Issue Title

I know here is not the best place to report this issue, but I can't found an place to report the problem in feedback center with only dotnet reproduce case.(iexplore seems work well with tls12 disabled). Set the server's enabledSslProtocols to Tls|Tls12, and the client to Tls|Tls11, and see the handshake failure with invaild flags.

System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.ComponentModel.Win32Exception: 给函数提供的标志无效
   --- End of inner exception stack trace ---
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at ConsoleApp1.Program.<>c__DisplayClass0_0.<Main>b__1()

General

Provide details on the problem you are experiencing including the .NET Core version, operating system version and anything else that is relevant. OS: Win10(17711 Insider). .NET Core version: This affact all version of netcore and also for netfx in the system.

>dotnet --info
.NET Core SDK（反映任何 global.json）:
 Version:   2.1.301
 Commit:    59524873d6

运行时环境:
 OS Name:     Windows
 OS Version:  10.0.17711
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.1.301\

Host (useful for support):
  Version: 2.1.1
  Commit:  6985b9f684

.NET Core SDKs installed:
  1.1.9 [C:\Program Files\dotnet\sdk]
  2.1.4 [C:\Program Files\dotnet\sdk]
  2.1.100 [C:\Program Files\dotnet\sdk]
  2.1.201 [C:\Program Files\dotnet\sdk]
  2.1.300 [C:\Program Files\dotnet\sdk]
  2.1.301 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 1.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.1.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Please provide a code sample for your issue if it is relevant, either inline, link to a gist (or similar) or add it as a zipped attachment.

You can create any new .pfx file, or download it from https://github.com/Azure/DotNetty/blob/dev/shared/dotnetty.com.pfx

```cs using System; using System.IO; using System.Net; using System.Net.Security; using System.Net.Sockets; using System.Security.Authentication; using System.Security.Cryptography.X509Certificates; using System.Text; using System.Threading; using System.Threading.Tasks; namespace ConsoleApp1 { class Program { static void Main(string[] args) { Console.WriteLine("Hello World!"); var tcpServer = new TcpListener(IPAddress.Any, 8007); var tlsCertificate = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "dotnetty.com.pfx"), "password"); Task.Factory.StartNew(() => { try { tcpServer.Start(); var cli2 = tcpServer.AcceptTcpClient(); var ssl = new SslStream(cli2.GetStream(), false, (_1,_2,_3,_4)=>true); ssl.AuthenticateAsServer(tlsCertificate, false, SslProtocols.Tls | SslProtocols.Tls12, false); var data = new byte[65535]; while (true) { var i = ssl.Read(data, 0, data.Length); if (i == 0) break; Console.WriteLine(Encoding.UTF8.GetString(data, 0, i)); } ssl.Dispose(); } catch(Exception e) { Console.Error.WriteLine(e); } }); var cli = new TcpClient(); Task.Factory.StartNew(() => { try { cli.Connect(new IPEndPoint(IPAddress.Loopback, 8007)); var ssl = new SslStream(cli.GetStream(), false, (_1, _2, _3, _4) => true); ssl.AuthenticateAsClient("aaa", null, SslProtocols.Tls | SslProtocols.Tls11, false); while (true) { var data = Console.ReadLine(); if (data == null) break; ssl.Write(Encoding.UTF8.GetBytes(data)); ssl.Flush(); } ssl.Dispose(); } catch (Exception e) { Console.Error.WriteLine(e); } }); while (true) { Thread.Sleep(60000); } } } } ```

For some issues, you will get a quicker and better response if you file it at a more specific .NET repo. For example, if the problem is with ASP.NET Core, you are encouraged to use the aspnet/home repo.

[Petermarcu]

Issue moved to dotnet/corefx #30924 via ZenHub