Enable SslStream server options per-hostname (in callback)

[avparuch]

Hello,

Our service is a reverse proxy running on IIS (on top of HttpSys). We are moving to .NET core and while running on Kestrel, ran into a scenario blocker with client certificates.

In our current application, we use HttpSys APIs to configure client certificate negotiation per hostname and also to set up CTL stores.

The specific API we use is : https://docs.microsoft.com/en-us/windows/win32/http/add-sslcert

Examples of usage:

1. netsh http add sslcert hostnameport=a.b.microsoftonline.com:443
   certhash=EC9CA6E0E645AAB24F8AD890DF75A448824D2C37 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
   verifyclientcertrevocation=disable

2. netsh http add sslcert hostnameport=c.windows.net:443
   certhash=EB3C3B94F10E948463929BCF4C7000C1E7BD0AC1 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
   clientcertnegotiation=enable verifyclientcertrevocation=disable

3. netsh http add sslcert hostnameport=device.a.b.microsoftonline.com:443
   certhash=963B55D3E94101B70F1654FBF90D6006BAFAD513 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
   clientcertnegotiation=enable verifyclientcertrevocation=disable sslctlstorename=DeviceLoginCTLStore

We want the ability to perform these operations in the Kestrel webserver. (The workaround of using the HttpSysServer does not work for us, I will not go into the reasons in this issue, I will create a separate one for that).

Kestrel already provides SNI support (ability to select server certificate on a per hostname basis). However, the problem is that the client certificate negotiation (and CTL store) support is application wide and not per hostname.

https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.https.clientcertificatemode?view=aspnetcore-2.2#Microsoft_AspNetCore_Server_Kestrel_Https_ClientCertificateMode_NoCertificate.

To be specific:

1. When a SNI binding is set up in Kestrel, provide the ability to enable/disable client certificate negotiation. (an equivalent to the "clientcertnegotiation" property in HttpSys.)
2. When a SNI binding is set up in Kestrel, provide the ability to select the exact CTL store for this binding. (an equivalent to the "sslctlstorename" property in HttpSys)
3. When a SNI binding is set up in Kestrel, provide the ability to turn on or off the verification of revocation of client certificates.
   (an equivalent to the "verifyclientcertrevocation" property in HttpSys.)

This is a major blocker for us to migrate to .NET core.

[davidsh]

@Tratcher This issue should be moved to aspnetcore repo.

[davidfowl]

@davidsh Seems like this would require an SSLStream change?

[Tratcher]

@davidsh they're asking to be able to reconfigure the SslServerAuthenticationOptions from inside the ServerCertificateSelectionCallback based on the given SNI host name.

I've heard a similar request asking to be able to enable/disable TLS versions based on the SNI data.

[davidsh]

@davidsh they're asking to be able to reconfigure the SslServerAuthenticationOptions from inside the ServerCertificateSelectionCallback based on the given SNI host name.
I've heard a similar request asking to be able to enable/disable TLS versions based on the SNI data.

Thanks for clarifying. Would this be an API change to SslServerAuthenticationOptions or perhaps just a behavior change of some kind, triggered by an perhaps a new opt-in SslStream-related property?

This needs some design work.

[Tratcher]

We'd have to experiment. ServerCertificateSelectionCallback passes in the SslStream as an object, casting that isn't too hard. From there I anticipate adding an API to surface the SslServerAuthenticationOptions, as well as some behavioral changes to delay reading as many of the settings from the options until after the callback. E.g. TLS version, client certs, etc..

[karelz]

Triage: Sounds like reasonable request. It may need new API.

[wfurt]

should be fixed by #38760.