.Net Core SocketsHttpHandler with Client Certificates hangs on windows

[timmydo]

We're using certs from azure key vault. I'm not sure what it does to the certs, but it seems to cause the httpclient to hang and not send the request. I created a self signed cert below and uploaded/downloaded from AKV to repro.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

</Project>

using System;
using System.Net;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

namespace SocketsHttpHandlerTest
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                DoIt().Wait();
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }
            return;
        }

        private async static Task DoIt()
        {
            var cert = GetCert();
            var sslOptions = new SslClientAuthenticationOptions();
            var shHandler = new SocketsHttpHandler
            {
                MaxConnectionsPerServer = 100,
                AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate,
                PooledConnectionLifetime = TimeSpan.FromMinutes(1),
                ConnectTimeout = TimeSpan.FromSeconds(10),
                PooledConnectionIdleTimeout = TimeSpan.FromSeconds(10),
                ResponseDrainTimeout = TimeSpan.FromSeconds(10),
            };

            if (cert != null)
            {
                shHandler.SslOptions = new SslClientAuthenticationOptions()
                {
                    ClientCertificates = new X509CertificateCollection(),
                };

                shHandler.SslOptions.ClientCertificates.Add(cert);
                shHandler.SslOptions.LocalCertificateSelectionCallback = (object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers) => cert;
            }

            var client = new HttpClient(shHandler);
            client.Timeout = TimeSpan.FromSeconds(10);
            var request = new HttpRequestMessage(HttpMethod.Post, "https://login.live.com/pksecure/oauth20_clientcredentials.srf");
            request.Content = new StringContent("blah", System.Text.Encoding.UTF8, new MediaTypeHeaderValue("application/x-www-form-urlencoded").ToString());
            var response = await client.SendAsync(request);
            throw new Exception("code doesn't make it this far");
        }

        private static X509Certificate2 GetCert()
        {
            var fabrikam = "MIIKNgIBAzCCCfYGCSqGSIb3DQEHAaCCCecEggnjMIIJ3zCCBgAGCSqGSIb3DQEHAaCCBfEEggXtMIIF6TCCBeUGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjM+a2pAGllLwICB9AEggTYaSpqMmNTo3QDS/Rrq+RzUFJiIKOFMId/Q/SpkElK6nX5LshOJQPBwp3XppKDmXocleVp73jJl/Ov41qXeVfELPJVe+VHuL6866KdhzrXKYfuq8RuYh8f6cSC4VuytYTn76NGsvVQhVinJ4Gh0PwYhDUAqBJrZAFOYD1m+GCIUiobroM8miXgMu480wkLlwr9ecsZvQFmS+6I4/qFEAPV1dmCu2pgq+TXBbjTZZH3WLPXKeOVmCBvI+gE9rRSx2AYn/ufCsmLQ6xonVtqvE4IB/tutKltNL5MRtkqGdkcGCKUrLrleUS0OfNdU6O5sPuqOK53tFmGQupWI+r1gyU9JEGxW0cpwxCgCrwV1F9JC9aBCyyCZgaUHd/9Sz06M7+5ARjvIcFSmxQQ7nUzxJotUmUtquh3muHfRaNBZI3iwyPwzUAiFz2IpMUsR0IJmmCmO6uF4rKUTB9/+jAyiF+35SfgwnYFKilTNI7YFJ0Ky16NBeGnXJ5jqsiprIVHk+ufQkVLzC6CS1wUyRA355Tnfy13lRZuSN7uZ/94kOqLTkC7F4wIFJ1Q6j5IFb9Tk8+AZi5wyn/gj/lRhEhVTgn2YK1BLGTRs851fxSvvgfFPcbw1NNirx2Gphs+HZzE1jSEzH0TymxdBhgMdYSmiuI/AF9EgMWW7r5g1NP9PFGmbT9Nj9IgLI3X1WoOCRZYyeZb1GGC0pwt7loXxcBa6RZkYoPvBcdYY7Kyh1yVauQhb3EyHh1YMU/ESLW6hgKtU+dr2XqLzydsg/Sw6yTLDMgMtHjwbs8Ia9t644+UzK9YsgEaOLZ0usO3zOns2Mgyht33BWeODZTzWDsrJadAunzqSlMTyAIUeCsdI8F+LEK1PGOdUallSDvIJK85l0BSInvo/ZEkz2Doa7Nb+urcbQ4Wy+mqb6cAhr2LBqkrbfFv5jZ9ILDh4lPXOUWYcF8LQTBnxyxy4u0C66TUv9pWINtwW259QgPcSAVNzagZzM9GOA098jWWUhIMIAS46OxaxNQC2fzra+dgrk6/91/RuxKvNcqF6XExsuDxnDcDBGUENnpVtwZU1zuNaAUXC9hUOryPeSpyOKVQP3Y8cc3LRuQeQr3i5wHqF/yhS2s+O611FzJ5pokfZZvdSNGs51EwpO77xjJEn/uQ92MNqhTVz0pRs491Za3GzUfMPQsRNcNITgpSVaFbiptnXQdtV9BDXUxuKkjAFjdbeGmeXL2nqiZi6bIsnC/TAcNjmIKKVgB2/5WLiEUGTo9BBEyvxKHIGSyiki0okF+fh9H09olc9tkIh3LO8SeNvTcXE5/rubLqMR/m2u60+anH/lslLQVk6mpOmqwPYeg9CWx33ZjVo0cfcPzyCB/00X2EHExg/UT4BMuaMstG9UiWjswFkBX4WAOV2HHSYokDnouaiKesr4H6NAReqGre3Ux3mTJDHj7GWjTZviGGZZMRjeWt9T3zN/peZfMNWmu7mKRujIEtsoqEuSQYPrALu5wHW/Z+1A8owQ5gIWIhwoON8dTx8mvDArzIf4yYKIcmex4MoBRDLRQ579+SqXfEOkn8bB24NmodmPUBwi0OvmK8LINzFCWekYEigQkmJI76uGs4p9joS2tso6oi7eyWbZh1E46TtI11CDB7Xz2DzN666zGB0zATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG9w0BCRQxUB5OAHQAZQAtADYAOQBlAGYANgA0ADcANQAtAGUAOABlADkALQA0ADEAMwBjAC0AOAA0ADUANgAtADQAMwAxAGUAMABjADMAZABiADQANwBhMF0GCSsGAQQBgjcRATFQHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAG8AZgB0AHcAYQByAGUAIABLAGUAeQAgAFMAdABvAHIAYQBnAGUAIABQAHIAbwB2AGkAZABlAHIwggPXBgkqhkiG9w0BBwagggPIMIIDxAIBADCCA70GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEGMA4ECBczS2R1fsdKAgIH0ICCA5CMLm2Fo4dxB6GDBi0rIsPzbKvuVa2ICAhNE+W3IzGMtFwwmKG9NY8eChj8auyYfhAGHdq2BcsZ7SANDduD6tibG3u+9yjbTmoj2Dbj3Ci+gnKkibvBiUYZrTiFrJIOxxdi2zRyneDk9lijd2LONgwtH8w/6iXUhV6UgcF37eRjPnPptZsMnzhVXh//j7oS37sOC/iDQPLf7XiuKpqpu7Binj6EaqqzDLthDCiwuGmAb1ogMs39KrZgfQLmIC0fATnOnZ5zaAU86+hJVnmfRDuRC0cXV8Yu/JXQmXnnYCOS3Apyjd9yZ1lOEeuJ4GPrbJM8/S8CqDRKd/BxnoDFSLH0tQX+UytcJ4HYvf18DG07vcwe3PBCuLuaFYNNWSweQ1WAHatAg+t33YHA3I8QVLuzFm172Uhe/AHd9aV+br3QNmKcaHYZb2EN2/IC0880usLh0OKrXMukskonl9BmI0PFT427RbK3VG/hKLVzTd7PJeUfm70FPJza8eM7AvRiwvH31NlR9CViGkQ+o9Ij/8ko7MR8+MtI3y/4HHleg1ayYsWOof6zxRzx8bd8ceYX4S+Kb7RYH8IMxcgEkd2jl8OPOQSKB4zTod7kDVxQe4/BsKGQofWiib05dQ6kCaMRyHQrfrh6QCcYTf0aWSXC+UBEqDpnoPNgJtA/Mt7asWcgfGKud+DNBO702yyw2Pm17dZAWuwuQonCwp6dJipGeXqrAqaBRzsTBJOVnDVsVMM8TzFyw/3aitBUq+3eO1BmbcsaWw4XE/jOKboJznaWj1tE4opVFu05PfGcDiKCTn3yCGjO9b3dcyHSHKM/zsx3ADxYMdHWvEJT3sktWF5x+kRpL5HX9d2pfg/gNWZg+4FCOomif+6If+NBRdMFbjZ7ozk/mZQJRx/Zzs0LNM2wp2GLxtjZTOIpa7a1fZfbT4/Cw68WXpTEZ74SbA6ok7xkA8Qs4/baxBwRZZHB011mgbJxH0QV0wFvuq3AU+8dsCOETtSt0sBeYmhRfZo5WP1tpG0IsP3qXG7mFyrh0DY6A7NwvTPAyBrD8oheABEBdAlKYZ2Qci5hovf7Hsr3XXe5++GthiR8e4ofd0MygFclM2sBsF2g7fcxl/I/oO2dwGcziCoEE5T8fBVC84RoqMweSzh/JtxmOiLuR92GmGxmwvhBcXu1HLXmSjzGCTceptWhg2vhZzCF/e3MWZtwlBlIQjcwNzAfMAcGBSsOAwIaBBTjakFm0psnqQsS91uTgNrTKkNMnQQUHKyz3QAfN6WpVoSb0ETEkAR9Vh4=";
            var certBytes = Convert.FromBase64String(fabrikam);
            return new X509Certificate2(certBytes, string.Empty, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.EphemeralKeySet);
        }
    }
}

[davidsh]

@bartonjs I think we've seen problems before with using certificates from Azure key vault.

Also, this code will produce an X509Certificate2 object that is missing the private key. I assume the Base64 here doesn't really have the private key. So, HttpClient won't be able to use it.

private static X509Certificate2 GetCert()
{
    var fabrikam = "MIIKNgIBAzCCCfY…";
    var certBytes = Convert.FromBase64String(fabrikam);
    return new X509Certificate2(certBytes, string.Empty, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.EphemeralKeySet);
}

[bartonjs]

@davidsh I ran that snippet of code (using the real base64 value) and cert.HasPrivateKey is true. cert.GetRSAPrivateKey() returned a valid object with a KeySize value of 2048.

[davidsh]

and cert.HasPrivateKey is true.

Ok. Thanks. I didn't expect a repro to have a real private key with it. I'm assuming it is a test certificate of some kind.

As far as why it doesn't work, I think this has something to do with X509KeyStorageFlags.EphemeralKeySet. That doesn't work right now in .NET Framework or .NET Core in terms of being able to use it for client certificates in HttpClient. I think there is some SCHANNEL limitation with that.

@timmydo Can you use X509KeyStorageFlags.DefaultKeySet instead?

[bartonjs]

SslStream + EphemeralKeySet is #23749.

[timmydo]

Replacing the line with:

return new X509Certificate(certBytes, string.Empty, X509KeyStorageFlags.DefaultKeySet);

fixes it. Would be nice if the original didn't lock up though... Thanks for the help!

[davidsh]

Based on this discussion, this issue can be closed as a duplicate of #23749.

[stephentoub]

@davidsh, that other issue appeared to manifest as exceptions. This one is manifesting as a hang, where the SendAsync doesn't complete, even after cancellation is requested and the connection is disposed. Do we understand why? Seems like there may be a secondary issue here.

[davidsh]

It's hanging due to a different bug (not fully root caused) in SocketsHttpHandler.

Looking briefly in Visual Studio, I see an exception happening during TLS/SSL setup probably due to the use of the EmpheralKeySet:

'System.ComponentModel.Win32Exception' in System.Net.Security.dll ("No credentials are available in the security package") | System.ComponentModel.Win32Exception

Callstack:

System.Net.Security.dll!System.Net.SSPIWrapper.AcquireCredentialsHandle(System.Net.SSPIInterface secModule = {unknown}, string package = {unknown}, CredentialUse intent = {unknown}, SCHANNEL_CRED scc = {unknown})	C#
 	System.Net.Security.dll!<>c__DisplayClass23_0.AnonymousMethod()	C#
 	System.Security.Principal.Windows.dll!<>c__DisplayClass58_0`1.AnonymousMethod()	C#
 	System.Security.Principal.Windows.dll!<>c__DisplayClass62_0.AnonymousMethod(System.Object <p0> = {unknown})	C#
 	System.Private.CoreLib.dll!System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext executionContext = {unknown}, System.Threading.ContextCallback callback = {unknown}, System.Object state = {unknown})	C#
 	System.Security.Principal.Windows.dll!System.Security.Principal.WindowsIdentity.RunImpersonatedInternal(Microsoft.Win32.SafeHandles.SafeAccessTokenHandle token = {unknown}, System.Action action = {unknown})	C#
 	System.Security.Principal.Windows.dll!System.Security.Principal.WindowsIdentity.RunImpersonated(Microsoft.Win32.SafeHandles.SafeAccessTokenHandle safeAccessTokenHandle = {unknown}, System.Func func = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage = {unknown}, SCHANNEL_CRED secureCredential = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslStreamPal.AcquireCredentialsHandle(System.Security.Cryptography.X509Certificates.X509Certificate certificate = {unknown}, System.Security.Authentication.SslProtocols protocols = {unknown}, System.Net.Security.EncryptionPolicy policy = {unknown}, bool isServer = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.AcquireClientCredentials(ref byte[] thumbPrint = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.GenerateToken(byte[] input = {unknown}, int offset = {unknown}, int count = {unknown}, ref byte[] output = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SecureChannel.NextMessage(byte[] incoming = {unknown}, int offset = {unknown}, int count = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.StartSendBlob(byte[] incoming = {unknown}, int count = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.ProcessReceivedBlob(byte[] buffer = {unknown}, int count = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.StartReadFrame(byte[] buffer = {unknown}, int readBytes = {unknown}, System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.Security.SslState.PartialFrameCallback(System.Net.AsyncProtocolRequest asyncRequest = {unknown})	C#
 	System.Net.Security.dll!System.Net.AsyncProtocolRequest.CompleteRequest(int result = {unknown})	C#
 	System.Net.Security.dll!<ReadPacketAsync>d__1.MoveNext()	C#
 	System.Private.CoreLib.dll!System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext executionContext = {unknown}, System.Threading.ContextCallback callback = {unknown}, System.Object state = {unknown})	C#
 	System.Private.CoreLib.dll!AsyncStateMachineBox`1.MoveNext()	C#
 	System.Net.Sockets.dll!AwaitableSocketAsyncEventArgs.InvokeContinuation(System.Action<System.Object> continuation = {unknown}, System.Object state = {unknown}, bool forceAsync = {unknown})	C#
 	System.Net.Sockets.dll!AwaitableSocketAsyncEventArgs.OnCompleted(System.Net.Sockets.SocketAsyncEventArgs _ = {unknown})	C#
 	System.Net.Sockets.dll!System.Net.Sockets.SocketAsyncEventArgs.FinishOperationAsyncSuccess(int bytesTransferred = {unknown}, System.Net.Sockets.SocketFlags flags = {unknown})	C#
 	System.Net.Sockets.dll!<>c.AnonymousMethod(uint errorCode = {unknown}, uint numBytes = {unknown}, System.Threading.NativeOverlapped* nativeOverlapped = {unknown})	C#

Most likely this exception is being eaten and this is why the task is hanging (doesn't terminate with error).

[davidsh]

It's hanging due to a different bug (not fully root caused) in SocketsHttpHandler.

This looks like a bug in SslStream as well. The exception I show above is caused during a Re-negotiate of the TLS connection. Basically, the initial TLS connection works because client certificates are not requested right away. Then SocketsHttpHandler thinks the TLS connection is good and starts preparing to write request headers, etc.

Afterwards the server decides to do the TLS re-negotiate and ask for client certificates. This is a common pattern that usually happens after the client makes an initial HTTP request specifying the exact path of the resource. It is at this point that the TLS stream breaks because the client certificate can't be read/sent to the server (due to the EmpheralKeySet). The first exception thrown "No credentials are available in the security package" is lost in SslStream and then the SslStream gets disposed. But all of this seems invisible to SocketsHttpHandler which isn't kept aware of the state of the connection.

The first problem that needs to be solved is to properly expose the initial exception generated by the re-negotiate of the SslStream. Then the rest of the error handling needs to be fixed as well to propagate this info to the SocketsHttpHandler (and other callers).

[davidsh]

I am able to reproduce this hang with .NET Core 2.2.

However, in .NET Core 3.0 current master (and Preview4), the hang does not occur. I get an exception:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package

Stacktrace

>System.AggregateException: One or more errors occurred. (An error occurred while sending the request.) ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ThrowIfExceptional() at System.Net.Security.SslStream.CheckThrow(Boolean authSuccessCheck, Boolean shutdownCheck) at System.Net.Security.SslStream.CheckOldKeyDecryptedData(Memory`1 buffer) at System.Net.Security.SslStream.HandleQueuedCallback(Object& queuedStateRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) at System.Net.Http.HttpConnection.FillAsync() at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed) at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at ssltest.Program.DoIt() in s:\dotnet\ssltest\Program.cs:line 42 --- End of inner exception stack trace --- at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken) at System.Threading.Tasks.Task.Wait() at ssltest.Program.Main(String[] args) in s:\dotnet\ssltest\Program.cs:line 18 ---> (Inner Exception #0) System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.IO.IOException: The read operation failed, see inner exception. ---> System.ComponentModel.Win32Exception: No credentials are available in the security package at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential) at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer) at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint) at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output) at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ThrowIfExceptional() at System.Net.Security.SslStream.CheckThrow(Boolean authSuccessCheck, Boolean shutdownCheck) at System.Net.Security.SslStream.CheckOldKeyDecryptedData(Memory`1 buffer) at System.Net.Security.SslStream.HandleQueuedCallback(Object& queuedStateRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ReadAsyncInternal[TReadAdapter](TReadAdapter adapter, Memory`1 buffer) at System.Net.Http.HttpConnection.FillAsync() at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed) at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at ssltest.Program.DoIt() in s:\dotnet\ssltest\Program.cs:line 42<---

due to #23749. I think the refactoring work for SslStream with PR dotnet/corefx#35109 fixed the hang as a side-affect.