Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Breaking change]: Removed default HTTPS binding on Kestrel #486

Open
1 of 3 tasks
Daniel-Genkin-MS-2 opened this issue Jun 7, 2022 · 0 comments
Open
1 of 3 tasks
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs

Comments

@Daniel-Genkin-MS-2
Copy link

Description

The default HTTPS address and port have been removed from Kestrel in .NET 7 preview 6. This is step one in dotnet/aspnetcore#42016 which will improve overall developer experience when dealing with HTTPS.

PR that makes the change: dotnet/aspnetcore#42021

Version

.NET 7 preview 6

Version

Other (please put exact version in description textbox)

Previous behavior

Previously, if no values for the address and port were specified explicitly but a local development certificate was available, Kestrel would default to binding to both http://localhost:5000 and https://localhost:5001.

New behavior

Users must now manually bind to HTTPS and specify the address and port explicitly, either via the launchSettings.json file, the ASPNETCORE_URLS environment variable, --urls command line argument, urls host configuration key, or via the UseUrls extension method.

HTTP binding is unchanged.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

This current eager binding behavior occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.

Recommended action

If you were not using the default https://localhost:5001 binding, no changes are required. However, if you were using this binding, please make sure to review this guide on how you can update your server to enable HTTPS.

Affected APIs

N/A

@aspnet aspnet locked as resolved and limited conversation to collaborators Jun 7, 2022
@gewarren gewarren added the Documented The breaking change has been published to the .NET Core docs label Jun 25, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
7.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Development

No branches or pull requests

3 participants