`cert.Verify()` failing on Ubuntu 24.04 on dotnet 10

[hiddenshadow21]

Description

Hi,

We, RavenDB, are experiencing intermittent errors in our application when attempting to verify certificates. This issue emerged on Ubuntu 24.04 after upgrading our app to .NET 10.

System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'Microsoft.Win32.SafeHandles.SafeX509Handle'.
   at Interop.Crypto.X509StoreCtxInit(SafeX509StoreCtxHandle ctx, SafeX509StoreHandle store, SafeX509Handle x509, SafeX509StackHandle extraCerts)
   at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.InitiateChain(SafeX509Handle leafHandle, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan remainingDownloadTime)
   at System.Security.Cryptography.X509Certificates.ChainPal.BuildChainCore(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.Verify()
   at Raven.Server.Utils.CertificateUtils.CreateSelfSignedTestCertificate(String commonNameValue, String issuerName, StringBuilder log, Boolean with2Eku) in /home/ubuntu/ravendb/src/Raven.Server/Utils/CertificateUtils.cs:line 209
   at Tryouts.Program.Main(String[] args) in /home/ubuntu/ravendb/test/Tryouts/Program.cs:line 38

Reproduction Steps

Clone our repo (branch v7.2) and run test/Tryouts project with following Program.cs:

using System;
using System.Diagnostics;
using System.IO;
using System.Threading.Tasks;
using FastTests;
using FastTests.Client;
using Raven.Server.Utils;
using SlowTests.Smuggler;
using Tests.Infrastructure;
using Xunit;

namespace Tryouts;

public static class Program
{
    static Program()
    {
        XunitLogging.RedirectStreams = false;
    }

    public static async Task Main(string[] args)
    {
        Console.WriteLine(Process.GetCurrentProcess().Id);

        for (int i = 0; i < 1000; i++)
            try
            {
                Console.WriteLine(i);
                
                CertificateUtils.CreateSelfSignedTestCertificate("test", "ca");
            }
            catch (Exception e)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine(e);
                Console.ForegroundColor = ConsoleColor.White;
            }
    }
}

Expected behavior

Certificate can be verified without errors.

Actual behavior

Certificate verification throws Cannot access a disposed object exception.

Regression?

Yes, we have no issues with other version of the app running the same code on dotnet 8.

Known Workarounds

No response

Configuration

AWS cloud instance - t2.xlarge
x64 Architecture

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

$ dotnet --info
.NET SDK:
 Version:           10.0.101
 Commit:            fad253f51b
 Workload version:  10.0.100-manifests.c57ac48b
 MSBuild version:   18.0.6+fad253f51

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  24.04
 OS Platform: Linux
 RID:         linux-x64
 Base Path:   /home/ubuntu/.dotnet/sdk/10.0.101/

.NET workloads installed:
There are no installed workloads to display.
Configured to use workload sets when installing new manifests.
No workload sets are installed. Run "dotnet workload restore" to install a workload set.

Host:
  Version:      10.0.1
  Architecture: x64
  Commit:       fad253f51b

.NET SDKs installed:
  10.0.101 [/home/ubuntu/.dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 10.0.1 [/home/ubuntu/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 10.0.1 [/home/ubuntu/.dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  None

Environment variables:
  Not set

global.json file:
  /home/ubuntu/ravendb/global.json

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

local machine running on AMD Ryzen 9 3900X 12-Core Processor
16GB ram
Ubuntu 24.04
x64 architecture

$ dotnet --info
.NET SDK:
 Version:           10.0.101
 Commit:            fad253f51b
 Workload version:  10.0.100-manifests.c57ac48b
 MSBuild version:   18.0.6+fad253f51

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  24.04
 OS Platform: Linux
 RID:         linux-x64
 Base Path:   /home/eagle-4/.dotnet/sdk/10.0.101/

.NET workloads installed:
There are no installed workloads to display.
Configured to use workload sets when installing new manifests.
No workload sets are installed. Run "dotnet workload restore" to install a workload set.

Host:
  Version:      10.0.1
  Architecture: x64
  Commit:       fad253f51b

.NET SDKs installed:
  8.0.408 [/home/eagle-4/.dotnet/sdk]
  8.0.409 [/home/eagle-4/.dotnet/sdk]
  8.0.411 [/home/eagle-4/.dotnet/sdk]
  8.0.412 [/home/eagle-4/.dotnet/sdk]
  8.0.413 [/home/eagle-4/.dotnet/sdk]
  8.0.414 [/home/eagle-4/.dotnet/sdk]
  8.0.415 [/home/eagle-4/.dotnet/sdk]
  8.0.416 [/home/eagle-4/.dotnet/sdk]
  9.0.203 [/home/eagle-4/.dotnet/sdk]
  9.0.300 [/home/eagle-4/.dotnet/sdk]
  9.0.301 [/home/eagle-4/.dotnet/sdk]
  9.0.302 [/home/eagle-4/.dotnet/sdk]
  9.0.304 [/home/eagle-4/.dotnet/sdk]
  9.0.305 [/home/eagle-4/.dotnet/sdk]
  10.0.100-rc.1.25451.107 [/home/eagle-4/.dotnet/sdk]
  10.0.100-rc.2.25502.107 [/home/eagle-4/.dotnet/sdk]
  10.0.100 [/home/eagle-4/.dotnet/sdk]
  10.0.101 [/home/eagle-4/.dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.15 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.16 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.17 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.18 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.19 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.20 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.21 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.22 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.4 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.5 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.6 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.7 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.8 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.9 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 10.0.0-rc.1.25451.107 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 10.0.0-rc.2.25502.107 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 10.0.0 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 10.0.1 [/home/eagle-4/.dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.15 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.16 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.17 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.18 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.19 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.20 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.21 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.22 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.4 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.5 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.6 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.7 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.8 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.9 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 10.0.0-rc.1.25451.107 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 10.0.0-rc.2.25502.107 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 10.0.0 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 10.0.1 [/home/eagle-4/.dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  None

Environment variables:
  Not set

global.json file:
  /home/eagle-4/work/ravendb/global.json

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

Openssl version is the same on both machines:

$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[vcsjones]

How often does this reproduce for you? I let this run and all 1000 loops complete without an exception in both a debug and release configuration.

[hiddenshadow21]

About 3-5 times per 1000 loops. But i also had runs when it didn't reproduce on my local machine. On AWS cloud instance it was more visible. I've been running tryouts in release config.