Support SNI config in EndpointDefaults

Author: halter73

src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs

@@ -8,7 +8,6 @@
 using System.Threading;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
-using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Https
 {

src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs

@@ -23,6 +23,8 @@ public CertificateConfigLoader(IHostEnvironment hostEnvironment, ILogger<Kestrel
         public IHostEnvironment HostEnvironment { get; }
         public ILogger<KestrelServer> Logger { get; }
 
+        public bool SkipValidation => false;
+
         public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
         {
             if (certInfo is null)

src/Servers/Kestrel/Core/src/Internal/Certificates/ICertificateConfigLoader.cs

@@ -7,6 +7,9 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates
 {
     internal interface ICertificateConfigLoader
     {
+        // SkipValidation is only true in tests.
+        bool SkipValidation { get; }
+
         X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName);
     }
 }

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

@@ -16,12 +16,13 @@ internal class ConfigurationReader
         private const string CertificatesKey = "Certificates";
         private const string CertificateKey = "Certificate";
         private const string SslProtocolsKey = "SslProtocols";
-        private const string EndpointDefaultsKey = "EndpointDefaults";
         private const string EndpointsKey = "Endpoints";
         private const string UrlKey = "Url";
         private const string ClientCertificateModeKey = "ClientCertificateMode";
         private const string SniKey = "Sni";
 
+        internal const string EndpointDefaultsKey = "EndpointDefaults";
+
         private readonly IConfiguration _configuration;
 
         private IDictionary<string, CertificateConfig> _certificates;
@@ -51,9 +52,20 @@ private IDictionary<string, CertificateConfig> ReadCertificates()
         }
 
         // "EndpointDefaults": {
-        //    "Protocols": "Http1AndHttp2",
-        //    "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
-        //    "ClientCertificateMode" : "NoCertificate"
+        //     "Protocols": "Http1AndHttp2",
+        //     "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
+        //     "ClientCertificateMode" : "NoCertificate",
+        //     "Sni": {
+        //         "a.example.org": {
+        //             "Certificate": {
+        //                 "Path": "testCertA.pfx",
+        //                 "Password": "testPassword"
+        //             }
+        //         },
+        //         "*.example.org": {
+        //             "Protocols": "Http1",
+        //         }
+        //     }
         // }
         private EndpointDefaults ReadEndpointDefaults()
         {
@@ -62,7 +74,8 @@ private EndpointDefaults ReadEndpointDefaults()
             {
                 Protocols = ParseProtocols(configSection[ProtocolsKey]),
                 SslProtocols = ParseSslProcotols(configSection.GetSection(SslProtocolsKey)),
-                ClientCertificateMode = ParseClientCertificateMode(configSection[ClientCertificateModeKey])
+                ClientCertificateMode = ParseClientCertificateMode(configSection[ClientCertificateModeKey]),
+                Sni = ReadSni(configSection.GetSection(SniKey), EndpointDefaultsKey)
             };
         }
 
@@ -74,14 +87,25 @@ private IEnumerable<EndpointConfig> ReadEndpoints()
             foreach (var endpointConfig in endpointsConfig)
             {
                 // "EndpointName": {
-                //    "Url": "https://*:5463",
-                //    "Protocols": "Http1AndHttp2",
-                //    "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
-                //    "Certificate": {
-                //        "Path": "testCert.pfx",
-                //        "Password": "testPassword"
-                //    },
-                //    "ClientCertificateMode" : "NoCertificate"
+                //     "Url": "https://*:5463",
+                //     "Protocols": "Http1AndHttp2",
+                //     "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
+                //     "Certificate": {
+                //         "Path": "testCert.pfx",
+                //         "Password": "testPassword"
+                //     },
+                //     "ClientCertificateMode" : "NoCertificate",
+                //     "Sni": {
+                //         "a.example.org": {
+                //             "Certificate": {
+                //                 "Path": "testCertA.pfx",
+                //                 "Password": "testPassword"
+                //             }
+                //         },
+                //         "*.example.org": {
+                //             "Protocols": "Http1",
+                //         }
+                //     }
                 // }
 
                 var url = endpointConfig[UrlKey];
@@ -116,20 +140,22 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, s
             {
                 // "Sni": {
                 //     "a.example.org": {
-                //         "Protocols": "Http1AndHttp2",
+                //         "Protocols": "Http1",
                 //         "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
                 //         "Certificate": {
-                //             "Path": "testCert.pfx",
+                //             "Path": "testCertA.pfx",
                 //             "Password": "testPassword"
                 //         },
                 //         "ClientCertificateMode" : "NoCertificate"
                 //     },
                 //     "*.example.org": {
                 //         "Certificate": {
-                //             "Path": "testCert2.pfx",
+                //             "Path": "testCertWildcard.pfx",
                 //             "Password": "testPassword"
                 //         }
                 //     }
+                //     // The following should work once https://github.com/dotnet/runtime/issues/40218 is resolved
+                //     "*": {}
                 // }
 
                 if (string.IsNullOrEmpty(sniChild.Key))
@@ -139,8 +165,8 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, s
 
                 var sni = new SniConfig
                 {
-                    Protocols = ParseProtocols(sniChild[ProtocolsKey]),
                     Certificate = new CertificateConfig(sniChild.GetSection(CertificateKey)),
+                    Protocols = ParseProtocols(sniChild[ProtocolsKey]),
                     SslProtocols = ParseSslProcotols(sniChild.GetSection(SslProtocolsKey)),
                     ClientCertificateMode = ParseClientCertificateMode(sniChild[ClientCertificateModeKey])
                 };
@@ -189,44 +215,37 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, s
     }
 
     // "EndpointDefaults": {
-    //    "Protocols": "Http1AndHttp2",
-    //    "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
-    //    "ClientCertificateMode" : "NoCertificate"
+    //     "Protocols": "Http1AndHttp2",
+    //     "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
+    //     "ClientCertificateMode" : "NoCertificate"
     // }
     internal class EndpointDefaults
     {
         public HttpProtocols? Protocols { get; set; }
         public SslProtocols? SslProtocols { get; set; }
         public ClientCertificateMode? ClientCertificateMode { get; set; }
+        public Dictionary<string, SniConfig> Sni { get; set; }
     }
 
     // "EndpointName": {
-    //    "Url": "https://*:5463",
-    //    "Protocols": "Http1AndHttp2",
-    //    "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
-    //    "Certificate": {
-    //        "Path": "testCert.pfx",
-    //        "Password": "testPassword"
-    //    },
-    //    "ClientCertificateMode" : "NoCertificate"
+    //     "Url": "https://*:5463",
+    //     "Protocols": "Http1AndHttp2",
+    //     "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
+    //     "Certificate": {
+    //         "Path": "testCert.pfx",
+    //         "Password": "testPassword"
+    //     },
+    //     "ClientCertificateMode" : "NoCertificate",
     //     "Sni": {
     //         "a.example.org": {
-    //             "Protocols": "Http1AndHttp2",
-    //             "SslProtocols": [ "Tls11", "Tls12", "Tls13"],
-    //             "Certificate": {
-    //                 "Path": "testCert.pfx",
-    //                 "Password": "testPassword"
-    //             },
-    //             "ClientCertificateMode" : "NoCertificate"
-    //         },
-    //         "*.example.org": {
     //             "Certificate": {
-    //                 "Path": "testCert2.pfx",
-    //                 "Password": "testPassword"
+    //                 "Path": "testCertA.pfx",
+    //                 "Password": "testPasswordA"
     //             }
     //         },
-    //         // The following should work once https://github.com/dotnet/runtime/issues/40218 is resolved
-    //         "*": {}
+    //         "*.example.org": {
+    //             "Protocols": "Http1",
+    //         }
     //     }
     // }
     internal class EndpointConfig
@@ -304,8 +323,8 @@ internal class SniConfig
         public override bool Equals(object obj) =>
             obj is SniConfig other &&
             (Protocols ?? ListenOptions.DefaultHttpProtocols) == (other.Protocols ?? ListenOptions.DefaultHttpProtocols) &&
-            Certificate == other.Certificate &&
             (SslProtocols ?? System.Security.Authentication.SslProtocols.None) == (other.SslProtocols ?? System.Security.Authentication.SslProtocols.None) &&
+            Certificate == other.Certificate &&
             (ClientCertificateMode ?? Https.ClientCertificateMode.NoCertificate) == (other.ClientCertificateMode ?? Https.ClientCertificateMode.NoCertificate);
 
         public override int GetHashCode() => HashCode.Combine(
@@ -317,8 +336,8 @@ public override int GetHashCode() => HashCode.Combine(
     }
 
     // "CertificateName": {
-    //      "Path": "testCert.pfx",
-    //      "Password": "testPassword"
+    //     "Path": "testCert.pfx",
+    //     "Password": "testPassword"
     // }
     internal class CertificateConfig
     {

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -8,6 +8,8 @@
 using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
@@ -28,51 +30,58 @@ internal class SniOptionsSelector
 
         private readonly Dictionary<string, SniOptions> _exactNameOptions = new Dictionary<string, SniOptions>(StringComparer.OrdinalIgnoreCase);
         private readonly SortedList<string, SniOptions> _wildcardPrefixOptions = new SortedList<string, SniOptions>(LongestStringFirstComparer.Instance);
-        private readonly SniOptions _wildcardOptions = null;
+        private readonly SniOptions _wildcardOptions;
 
         public SniOptionsSelector(
+            string endpointName,
+            Dictionary<string, SniConfig> sniDictionary,
             ICertificateConfigLoader certifcateConfigLoader,
-            EndpointConfig endpointConfig,
-            HttpsConnectionAdapterOptions fallbackOptions,
+            HttpsConnectionAdapterOptions fallbackHttpsOptions,
             HttpProtocols fallbackHttpProtocols,
             ILogger<HttpsConnectionMiddleware> logger)
         {
-            _endpointName = endpointConfig.Name;
+            _endpointName = endpointName;
 
-            _fallbackServerCertificateSelector = fallbackOptions.ServerCertificateSelector;
-            _onAuthenticateCallback = fallbackOptions.OnAuthenticate;
+            _fallbackServerCertificateSelector = fallbackHttpsOptions.ServerCertificateSelector;
+            _onAuthenticateCallback = fallbackHttpsOptions.OnAuthenticate;
 
-            foreach (var (name, sniConfig) in endpointConfig.Sni)
+            foreach (var (name, sniConfig) in sniDictionary)
             {
                 var sslOptions = new SslServerAuthenticationOptions
                 {
-                    ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointConfig.Name}:Sni:{name}"),
-                    EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols,
-                    CertificateRevocationCheckMode = fallbackOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
+                    ServerCertificate = certifcateConfigLoader.LoadCertificate(sniConfig.Certificate, $"{endpointName}:Sni:{name}"),
+                    EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackHttpsOptions.SslProtocols,
+                    CertificateRevocationCheckMode = fallbackHttpsOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
                 };
 
                 if (sslOptions.ServerCertificate is null)
                 {
-                    if (fallbackOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
+                    if (fallbackHttpsOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
                     {
                         throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
                     }
 
                     if (_fallbackServerCertificateSelector is null)
                     {
                         // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence. 
-                        sslOptions.ServerCertificate = fallbackOptions.ServerCertificate;
+                        sslOptions.ServerCertificate = fallbackHttpsOptions.ServerCertificate;
                     }
                 }
 
-                var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackOptions.ClientCertificateMode;
+                // SkipValidation is only true in tests.
+                if (!certifcateConfigLoader.SkipValidation && sslOptions.ServerCertificate is X509Certificate2 cert2)
+                {
+                    HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
+                }
+
+                var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackHttpsOptions.ClientCertificateMode;
 
                 if (clientCertificateMode != ClientCertificateMode.NoCertificate)
                 {
                     sslOptions.ClientCertificateRequired = true;
                     sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
                         HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
-                            clientCertificateMode, fallbackOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
+                            clientCertificateMode, fallbackHttpsOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
                 }
 
                 var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
@@ -144,7 +153,14 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s
 
                 // If a ServerCertificateSelector doesn't return a cert, HttpsConnectionMiddleware doesn't fallback to the ServerCertificate.
                 sslOptions = CloneSslOptions(sslOptions);
-                sslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);
+                var fallbackCertificate = _fallbackServerCertificateSelector(connection, serverName);
+
+                if (fallbackCertificate != null)
+                {
+                    HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(fallbackCertificate);
+                }
+
+                sslOptions.ServerCertificate = fallbackCertificate;
             }
 
             if (_onAuthenticateCallback != null)
@@ -157,6 +173,13 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s
             return sslOptions;
         }
 
+        public static ValueTask<SslServerAuthenticationOptions> OptionsCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
+        {
+            var sniOptionsSelector = (SniOptionsSelector)state;
+            var options = sniOptionsSelector.GetOptions(connection, clientHelloInfo.ServerName);
+            return new ValueTask<SslServerAuthenticationOptions>(options);
+        }
+
         // TODO: Reflection based test to ensure we clone everything!
         // This won't catch issues related to mutable subproperties, but the existing subproperties look like they're mostly immutable.
         // The exception are the ApplicationProtocols list which we clone and the ServerCertificate because of methods like Import() and Reset() :(