[Android] SSLStream throws 'Handshake has already been started' on API level 26

[steveisok]

The following block will throw an exception with Handshake has already been started on API level 26. Appears to be specific to our SSLEngine usage.

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

Exception:

Time	Device Name	Type	PID	Tag	Message
11-22 16:06:53.606	pixel_5_-_api_26	Warning	8609	System.err	java.lang.IllegalStateException: Handshake has already been started
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshakeInternal(OpenSSLEngineImpl.java:335)
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshake(OpenSSLEngineImpl.java:325)
11-22 16:06:53.607	pixel_5_-_api_26	Verbose	8609	SequriX	Push error: System.Security.Authentication.AuthenticationException: net_auth_SSPI
 ---> Interop+AndroidCrypto+SslException: Exception_WasThrown, Interop+AndroidCrypto+SslException
   Exception_EndOfInnerExceptionStack
   at System.Net.Security.SslStream.<ForceAuthenticationAsync>d__175`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
   at SuperSocket.ClientEngine.SslStreamTcpSession.AuthenticateAsClientAsync(SslStream sslStream, SecurityOption securityOption)

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The following block will throw an exception with Handshake has already been started on API level 26. Appears to be specific to our SSLEngine usage.

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

Exception:

Time	Device Name	Type	PID	Tag	Message
11-22 16:06:53.606	pixel_5_-_api_26	Warning	8609	System.err	java.lang.IllegalStateException: Handshake has already been started
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshakeInternal(OpenSSLEngineImpl.java:335)
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshake(OpenSSLEngineImpl.java:325)
11-22 16:06:53.607	pixel_5_-_api_26	Verbose	8609	SequriX	Push error: System.Security.Authentication.AuthenticationException: net_auth_SSPI
 ---> Interop+AndroidCrypto+SslException: Exception_WasThrown, Interop+AndroidCrypto+SslException
   Exception_EndOfInnerExceptionStack
   at System.Net.Security.SslStream.<ForceAuthenticationAsync>d__175`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
   at SuperSocket.ClientEngine.SslStreamTcpSession.AuthenticateAsClientAsync(SslStream sslStream, SecurityOption securityOption)

Author:	steveisok
Assignees:	-
Labels:	area-System.Net.Security, untriaged
Milestone:	-

Tagging subscribers to 'arch-android': @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The following block will throw an exception with Handshake has already been started on API level 26. Appears to be specific to our SSLEngine usage.

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

Exception:

Time	Device Name	Type	PID	Tag	Message
11-22 16:06:53.606	pixel_5_-_api_26	Warning	8609	System.err	java.lang.IllegalStateException: Handshake has already been started
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshakeInternal(OpenSSLEngineImpl.java:335)
	at com.android.org.conscrypt.OpenSSLEngineImpl.beginHandshake(OpenSSLEngineImpl.java:325)
11-22 16:06:53.607	pixel_5_-_api_26	Verbose	8609	SequriX	Push error: System.Security.Authentication.AuthenticationException: net_auth_SSPI
 ---> Interop+AndroidCrypto+SslException: Exception_WasThrown, Interop+AndroidCrypto+SslException
   Exception_EndOfInnerExceptionStack
   at System.Net.Security.SslStream.<ForceAuthenticationAsync>d__175`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
   at SuperSocket.ClientEngine.SslStreamTcpSession.AuthenticateAsClientAsync(SslStream sslStream, SecurityOption securityOption)

Author:	steveisok
Assignees:	-
Labels:	area-System.Net.Security, os-android
Milestone:	-

[rgroenewoudt]

This also effects SocketsHttpHandler and ClientWebSocket usage with HTTPS.

For example:

var client = new HttpClient(new SocketsHttpHandler());
await client.GetStringAsync("https://google.com");

[simonrozsival]

This is likely related to dotnet/SqlClient#1656

[simonrozsival]

I reproduced the issue locally and it should be possible to fix it. I should have a fix ready soon.