Fixed custom root certificate validation on Linux (#861)
Some checks are pending
Build and Release / Determine run mode (push) Waiting to run
Build and Release / Read metadata (push) Blocked by required conditions
Build and Release / Sync Flatpak repo (push) Blocked by required conditions
Build and Release / Collect Flatpak artifacts (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-aarch64-apple-darwin, osx-arm64, macos-latest, aarch64-apple-darwin, dmg,app,updater, dmg) (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-aarch64-pc-windows-msvc.exe, win-arm64, windows-latest, aarch64-pc-windows-msvc, nsis,updater, nsis) (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-aarch64-unknown-linux-gnu, linux-arm64, ubuntu-22.04-arm, aarch64-unknown-linux-gnu, appimage,updater, appimage) (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-x86_64-apple-darwin, osx-x64, macos-latest, x86_64-apple-darwin, dmg,app,updater, dmg) (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-x86_64-pc-windows-msvc.exe, win-x64, windows-latest, x86_64-pc-windows-msvc, nsis,updater, nsis) (push) Blocked by required conditions
Build and Release / Build app (${{ matrix.dotnet_runtime }}) (-x86_64-unknown-linux-gnu, linux-x64, ubuntu-22.04, x86_64-unknown-linux-gnu, appimage,updater, appimage) (push) Blocked by required conditions
Build and Release / Prepare & create release (push) Blocked by required conditions
Build and Release / Publish release (push) Blocked by required conditions

This commit is contained in:
Thorsten Sommer 2026-07-15 14:43:41 +02:00 committed by GitHub
parent 8ef6cda901
commit d0d5bbea7f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 41 additions and 4 deletions

View File

@ -359,10 +359,19 @@ public static class ExternalHttpClientTimeout
if (sslPolicyErrors is SslPolicyErrors.None) if (sslPolicyErrors is SslPolicyErrors.None)
return true; return true;
if (sslPolicyErrors is not SslPolicyErrors.RemoteCertificateChainErrors || certificate is null)
return false;
var host = ReadRequestHost(request); var host = ReadRequestHost(request);
if (certificate is null)
{
LOGGER.Value.LogError($"Rejected external HTTPS certificate for '{HostForLog(host)}' because the TLS stack did not provide a server certificate. TLS policy errors: {sslPolicyErrors}.");
return false;
}
if (sslPolicyErrors is not SslPolicyErrors.RemoteCertificateChainErrors)
{
LOGGER.Value.LogError($"Rejected external HTTPS certificate for '{HostForLog(host)}' because custom root certificates can only resolve certificate chain trust errors. TLS policy errors: {sslPolicyErrors}.");
return false;
}
if (trustPolicy is ExternalHttpTrustPolicy.SYSTEM_TRUST_ONLY) if (trustPolicy is ExternalHttpTrustPolicy.SYSTEM_TRUST_ONLY)
{ {
LOGGER.Value.LogError($"Rejected external HTTPS certificate for '{HostForLog(host)}' because this request requires system trust only. Configured custom root certificates are not allowed for this request."); LOGGER.Value.LogError($"Rejected external HTTPS certificate for '{HostForLog(host)}' because this request requires system trust only. Configured custom root certificates are not allowed for this request.");
@ -384,6 +393,10 @@ public static class ExternalHttpClientTimeout
customChain.ChainPolicy.CustomTrustStore.AddRange(customRootCertificateCache.Certificates); customChain.ChainPolicy.CustomTrustStore.AddRange(customRootCertificateCache.Certificates);
customChain.ChainPolicy.ApplicationPolicy.Add(new Oid(TLS_SERVER_AUTHENTICATION_EKU_OID)); customChain.ChainPolicy.ApplicationPolicy.Add(new Oid(TLS_SERVER_AUTHENTICATION_EKU_OID));
// Match the .NET 9 HttpClient default used for the initial system-trust validation.
// Hostname, signature, validity, EKU, and root trust checks remain enabled.
customChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
if (originalChain is not null) if (originalChain is not null)
{ {
foreach (var element in originalChain.ChainElements) foreach (var element in originalChain.ChainElements)
@ -398,6 +411,8 @@ public static class ExternalHttpClientTimeout
var isValid = customChain.Build(serverCertificate); var isValid = customChain.Build(serverCertificate);
if (isValid) if (isValid)
LogCustomRootCertificateAccepted(request); LogCustomRootCertificateAccepted(request);
else
LogCustomRootCertificateValidationFailure(request, sslPolicyErrors, customChain);
return isValid; return isValid;
} }
@ -459,6 +474,27 @@ public static class ExternalHttpClientTimeout
LOGGER.Value.LogWarning($"Accepted an external HTTPS certificate for '{host}' using configured custom root certificates."); LOGGER.Value.LogWarning($"Accepted an external HTTPS certificate for '{host}' using configured custom root certificates.");
} }
private static void LogCustomRootCertificateValidationFailure(HttpRequestMessage request, SslPolicyErrors sslPolicyErrors, X509Chain chain)
{
var chainStatuses = FormatChainStatusesForLog(chain.ChainStatus);
var elementStatuses = chain.ChainElements
.Cast<X509ChainElement>()
.Select((element, index) => $"element {index}: {FormatChainStatusesForLog(element.ChainElementStatus)}")
.ToList();
var host = ReadRequestHost(request);
LOGGER.Value.LogError($"Rejected external HTTPS certificate for '{HostForLog(host)}' after validation with configured custom root certificates. TLS policy errors: {sslPolicyErrors}. Chain statuses: {chainStatuses}. Chain element statuses: {string.Join("; ", elementStatuses)}");
}
private static string FormatChainStatusesForLog(IEnumerable<X509ChainStatus> statuses)
{
var formattedStatuses = statuses
.Select(status => $"{status.Status} ({status.StatusInformation.Trim()})")
.ToList();
return formattedStatuses.Count == 0
? "none"
: string.Join(", ", formattedStatuses);
}
private static string ReadRequestHost(HttpRequestMessage request) private static string ReadRequestHost(HttpRequestMessage request)
{ {
var host = request.RequestUri?.IdnHost; var host = request.RequestUri?.IdnHost;

View File

@ -5,6 +5,7 @@
- Improved the "My Tasks Assistant": you can now provide one or more documents in addition to text or use documents alone when asking to identify tasks. - Improved the "My Tasks Assistant": you can now provide one or more documents in addition to text or use documents alone when asking to identify tasks.
- Improved update guidance for Flatpak installations and added an enterprise option that lets organizations manage updates entirely through their IT department. - Improved update guidance for Flatpak installations and added an enterprise option that lets organizations manage updates entirely through their IT department.
- Fixed an issue that could leave AI Studio unresponsive after waking the computer from sleep. Yes, we know this was an annoying bug, and we apologize for the inconvenience. - Fixed an issue that could leave AI Studio unresponsive after waking the computer from sleep. Yes, we know this was an annoying bug, and we apologize for the inconvenience.
- Fixed connections to internal HTTPS services and enterprise configuration servers that use organization-provided root certificates on Linux.
- Fixed enterprise configuration plugins from Windows-created ZIP files may not load correctly on Linux when the ZIP contained plugin files inside a folder. - Fixed enterprise configuration plugins from Windows-created ZIP files may not load correctly on Linux when the ZIP contained plugin files inside a folder.
- Fixed voice recording and transcription on Linux. - Fixed voice recording and transcription on Linux.
- Fixed being able to switch document analysis policies while an analysis or media transcription was still in progress. - Fixed being able to switch document analysis policies while an analysis or media transcription was still in progress.