A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/dotnet/runtime/issues/31097 below:

Enable SslStream server options per-hostname (in callback) · Issue #31097 · dotnet/runtime · GitHub

Hello,

Our service is a reverse proxy running on IIS (on top of HttpSys). We are moving to .NET core and while running on Kestrel, ran into a scenario blocker with client certificates.

In our current application, we use HttpSys APIs to configure client certificate negotiation per hostname and also to set up CTL stores.

The specific API we use is : https://docs.microsoft.com/en-us/windows/win32/http/add-sslcert

Examples of usage:

  1. netsh http add sslcert hostnameport=a.b.microsoftonline.com:443
    certhash=EC9CA6E0E645AAB24F8AD890DF75A448824D2C37 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
    verifyclientcertrevocation=disable

  2. netsh http add sslcert hostnameport=c.windows.net:443
    certhash=EB3C3B94F10E948463929BCF4C7000C1E7BD0AC1 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
    clientcertnegotiation=enable verifyclientcertrevocation=disable

  3. netsh http add sslcert hostnameport=device.a.b.microsoftonline.com:443
    certhash=963B55D3E94101B70F1654FBF90D6006BAFAD513 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
    clientcertnegotiation=enable verifyclientcertrevocation=disable sslctlstorename=DeviceLoginCTLStore

We want the ability to perform these operations in the Kestrel webserver. (The workaround of using the HttpSysServer does not work for us, I will not go into the reasons in this issue, I will create a separate one for that).

Kestrel already provides SNI support (ability to select server certificate on a per hostname basis). However, the problem is that the client certificate negotiation (and CTL store) support is application wide and not per hostname.

https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.https.clientcertificatemode?view=aspnetcore-2.2#Microsoft_AspNetCore_Server_Kestrel_Https_ClientCertificateMode_NoCertificate.

To be specific:

  1. When a SNI binding is set up in Kestrel, provide the ability to enable/disable client certificate negotiation. (an equivalent to the "clientcertnegotiation" property in HttpSys.)
  2. When a SNI binding is set up in Kestrel, provide the ability to select the exact CTL store for this binding. (an equivalent to the "sslctlstorename" property in HttpSys)
  3. When a SNI binding is set up in Kestrel, provide the ability to turn on or off the verification of revocation of client certificates.
    (an equivalent to the "verifyclientcertrevocation" property in HttpSys.)

This is a major blocker for us to migrate to .NET core.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4