Support default handshake timeout

halter73 · halter73 · commit 5e125f3107df · 2020-07-30T10:50:09.000-07:00
diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -25,8 +25,7 @@ public class HttpsConnectionAdapterOptions
         public HttpsConnectionAdapterOptions()
         {
             ClientCertificateMode = ClientCertificateMode.NoCertificate;
-            // Defaults to 10 seconds
-            HandshakeTimeout = HttpsConnectionMiddleware.DefaultHandshakeTimeout;
+            HandshakeTimeout = TimeSpan.FromSeconds(10);
         }
 
         /// <summary>
diff --git a/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs b/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
@@ -144,8 +144,7 @@ public SniOptions GetOptions(ConnectionContext connection, string serverName)
                 Debug.Assert(_fallbackServerCertificateSelector != null,
                     "The cached SniOptions ServerCertificate can only be null if there's a fallback certificate selector.");
 
-                // If a ServerCertificateSelector passed into HttpsConnectionMiddleware via HttpsConnectionAdapterOptions doesn't return a cert,
-                // HttpsConnectionMiddleware doesn't fallback to the ServerCertificate, so we don't do that here either.
+                // If a ServerCertificateSelector doesn't return a cert, HttpsConnectionMiddleware doesn't fallback to the ServerCertificate.
                 options = options.Clone();
                 options.SslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);
             }
diff --git a/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs b/src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs
@@ -359,7 +359,7 @@ public void Load()
                         var logger = Options.ApplicationServices.GetRequiredService<ILogger<KestrelConfigurationLoader>>();
                         var sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols, logger);
 
-                        listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector);
+                        listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector, httpsOptions.HandshakeTimeout);
                     }
                 }
 
diff --git a/src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs b/src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs
@@ -235,15 +235,16 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConn
         /// <param name="listenOptions">The <see cref="ListenOptions"/> to configure.</param>
         /// <param name="httpsOptionsCallback">Callback to configure HTTPS options.</param>
         /// <param name="state">State for the <see cref="ServerOptionsSelectionCallback" />.</param>
+        /// <param name="handshakeTimeout">Specifies the maximum amount of time allowed for the TLS/SSL handshake. This must be positive and finite.</param>
         /// <returns>The <see cref="ListenOptions"/>.</returns>
-        internal static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsOptionsCallback httpsOptionsCallback, object state = null)
+        internal static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsOptionsCallback httpsOptionsCallback, object state, TimeSpan handshakeTimeout)
         {
             var loggerFactory = listenOptions.KestrelServerOptions?.ApplicationServices.GetRequiredService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
 
             listenOptions.IsTls = true;
             listenOptions.Use(next =>
             {
-                var middleware = new HttpsConnectionMiddleware(next, httpsOptionsCallback, state, loggerFactory);
+                var middleware = new HttpsConnectionMiddleware(next, httpsOptionsCallback, state, handshakeTimeout, loggerFactory);
                 return middleware.OnConnectionAsync;
             });
 
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -31,9 +31,10 @@ internal class HttpsConnectionMiddleware
     {
         private const string EnableWindows81Http2 = "Microsoft.AspNetCore.Server.Kestrel.EnableWindows81Http2";
 
-        internal static readonly TimeSpan DefaultHandshakeTimeout = TimeSpan.FromSeconds(10);
+        private static readonly bool _isWindowsVersionIncompatible = IsWindowsVersionIncompatible();
 
         private readonly ConnectionDelegate _next;
+        private readonly TimeSpan _handshakeTimeout;
         private readonly ILogger _logger;
         private readonly Func<Stream, SslStream> _sslStreamFactory;
 
@@ -43,7 +44,6 @@ internal class HttpsConnectionMiddleware
         private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector;
 
         // The following fields are only set by ServerOptionsSelectionCallback ctor.
-        // If we ever expose this via a public API, we should really create a delegate type.
         private readonly HttpsOptionsCallback _httpsOptionsCallback;
         private readonly object _httpsOptionsCallbackState;
 
@@ -59,12 +59,13 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
                 throw new ArgumentNullException(nameof(options));
             }
 
-            _options = options;
+            _next = next;
+            _handshakeTimeout = options.HandshakeTimeout;
             _logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();
 
+            _options = options;
             _options.HttpProtocols = ValidateAndNormalizeHttpProtocols(_options.HttpProtocols, _logger);
 
-            _next = next;
             // capture the certificate now so it can't be switched after validation
             _serverCertificate = options.ServerCertificate;
             _serverCertificateSelector = options.ServerCertificateSelector;
@@ -94,10 +95,13 @@ internal HttpsConnectionMiddleware(
             ConnectionDelegate next,
             HttpsOptionsCallback httpsOptionsCallback,
             object httpsOptionsCallbackState,
+            TimeSpan handshakeTimeout,
             ILoggerFactory loggerFactory)
         {
             _next = next;
+            _handshakeTimeout = handshakeTimeout;
             _logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();
+
             _httpsOptionsCallback = httpsOptionsCallback;
             _httpsOptionsCallbackState = httpsOptionsCallbackState;
             _sslStreamFactory = s => new SslStream(s);
@@ -122,7 +126,7 @@ public async Task OnConnectionAsync(ConnectionContext context)
 
             try
             {
-                using var cancellationTokenSource = new CancellationTokenSource(_options?.HandshakeTimeout ?? DefaultHandshakeTimeout);
+                using var cancellationTokenSource = new CancellationTokenSource(_handshakeTimeout);
                 if (_httpsOptionsCallback is null)
                 {
                     await DoOptionsBasedHandshakeAsync(context, sslStream, feature, cancellationTokenSource.Token);
@@ -255,9 +259,6 @@ internal static void ConfigureAlpn(SslServerAuthenticationOptions serverOptions,
             }
         }
 
-        private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
-            RemoteCertificateValidationCallback(_options.ClientCertificateMode, _options.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
-
         internal static bool RemoteCertificateValidationCallback(
             ClientCertificateMode clientCertificateMode,
             Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> clientCertificateValidation,
@@ -295,6 +296,9 @@ internal static bool RemoteCertificateValidationCallback(
             return true;
         }
 
+        private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
+            RemoteCertificateValidationCallback(_options.ClientCertificateMode, _options.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
+
         private SslDuplexPipe CreateSslDuplexPipe(IDuplexPipe transport, MemoryPool<byte> memoryPool)
         {
             var inputPipeOptions = new StreamPipeReaderOptions
@@ -366,12 +370,12 @@ internal static HttpProtocols ValidateAndNormalizeHttpProtocols(HttpProtocols ht
                 {
                     throw new NotSupportedException(CoreStrings.Http2NoTlsOsx);
                 }
-                else if (IsWindowsVersionIncompatible())
+                else if (_isWindowsVersionIncompatible)
                 {
                     throw new NotSupportedException(CoreStrings.Http2NoTlsWin81);
                 }
             }
-            else if (httpProtocols == HttpProtocols.Http1AndHttp2 && IsWindowsVersionIncompatible())
+            else if (httpProtocols == HttpProtocols.Http1AndHttp2 && _isWindowsVersionIncompatible)
             {
                 logger.Http2DefaultCiphersInsufficient();
                 return HttpProtocols.Http1;

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,7 @@ public class HttpsConnectionAdapterOptions`
`25`	`25`	`public HttpsConnectionAdapterOptions()`
`26`	`26`	`{`
`27`	`27`	`ClientCertificateMode = ClientCertificateMode.NoCertificate;`
`28`		`- // Defaults to 10 seconds`
`29`		`- HandshakeTimeout = HttpsConnectionMiddleware.DefaultHandshakeTimeout;`
	`28`	`+ HandshakeTimeout = TimeSpan.FromSeconds(10);`
`30`	`29`	`}`
`31`	`30`
`32`	`31`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -144,8 +144,7 @@ public SniOptions GetOptions(ConnectionContext connection, string serverName)`
`144`	`144`	`Debug.Assert(_fallbackServerCertificateSelector != null,`
`145`	`145`	`"The cached SniOptions ServerCertificate can only be null if there's a fallback certificate selector.");`
`146`	`146`
`147`		`- // If a ServerCertificateSelector passed into HttpsConnectionMiddleware via HttpsConnectionAdapterOptions doesn't return a cert,`
`148`		`- // HttpsConnectionMiddleware doesn't fallback to the ServerCertificate, so we don't do that here either.`
	`147`	`+ // If a ServerCertificateSelector doesn't return a cert, HttpsConnectionMiddleware doesn't fallback to the ServerCertificate.`
`149`	`148`	`options = options.Clone();`
`150`	`149`	`options.SslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);`
`151`	`150`	`}`
Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ public void Load()`
`359`	`359`	`var logger = Options.ApplicationServices.GetRequiredService<ILogger<KestrelConfigurationLoader>>();`
`360`	`360`	`var sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols, logger);`
`361`	`361`
`362`		`- listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector);`
	`362`	`+ listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector, httpsOptions.HandshakeTimeout);`
`363`	`363`	`}`
`364`	`364`	`}`
`365`	`365`
Original file line number	Diff line number	Diff line change
`@@ -31,9 +31,10 @@ internal class HttpsConnectionMiddleware`
`31`	`31`	`{`
`32`	`32`	`private const string EnableWindows81Http2 = "Microsoft.AspNetCore.Server.Kestrel.EnableWindows81Http2";`
`33`	`33`
`34`		`- internal static readonly TimeSpan DefaultHandshakeTimeout = TimeSpan.FromSeconds(10);`
	`34`	`+ private static readonly bool _isWindowsVersionIncompatible = IsWindowsVersionIncompatible();`
`35`	`35`
`36`	`36`	`private readonly ConnectionDelegate _next;`
	`37`	`+ private readonly TimeSpan _handshakeTimeout;`
`37`	`38`	`private readonly ILogger _logger;`
`38`	`39`	`private readonly Func<Stream, SslStream> _sslStreamFactory;`
`39`	`40`
`@@ -43,7 +44,6 @@ internal class HttpsConnectionMiddleware`
`43`	`44`	`private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector;`
`44`	`45`
`45`	`46`	`// The following fields are only set by ServerOptionsSelectionCallback ctor.`
`46`		`- // If we ever expose this via a public API, we should really create a delegate type.`
`47`	`47`	`private readonly HttpsOptionsCallback _httpsOptionsCallback;`
`48`	`48`	`private readonly object _httpsOptionsCallbackState;`
`49`	`49`
`@@ -59,12 +59,13 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter`
`59`	`59`	`throw new ArgumentNullException(nameof(options));`
`60`	`60`	`}`
`61`	`61`
`62`		`- _options = options;`
	`62`	`+ _next = next;`
	`63`	`+ _handshakeTimeout = options.HandshakeTimeout;`
`63`	`64`	`_logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();`
`64`	`65`
	`66`	`+ _options = options;`
`65`	`67`	`_options.HttpProtocols = ValidateAndNormalizeHttpProtocols(_options.HttpProtocols, _logger);`
`66`	`68`
`67`		`- _next = next;`
`68`	`69`	`// capture the certificate now so it can't be switched after validation`
`69`	`70`	`_serverCertificate = options.ServerCertificate;`
`70`	`71`	`_serverCertificateSelector = options.ServerCertificateSelector;`
`@@ -94,10 +95,13 @@ internal HttpsConnectionMiddleware(`
`94`	`95`	`ConnectionDelegate next,`
`95`	`96`	`HttpsOptionsCallback httpsOptionsCallback,`
`96`	`97`	`object httpsOptionsCallbackState,`
	`98`	`+ TimeSpan handshakeTimeout,`
`97`	`99`	`ILoggerFactory loggerFactory)`
`98`	`100`	`{`
`99`	`101`	`_next = next;`
	`102`	`+ _handshakeTimeout = handshakeTimeout;`
`100`	`103`	`_logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();`
	`104`	`+`
`101`	`105`	`_httpsOptionsCallback = httpsOptionsCallback;`
`102`	`106`	`_httpsOptionsCallbackState = httpsOptionsCallbackState;`
`103`	`107`	`_sslStreamFactory = s => new SslStream(s);`
`@@ -122,7 +126,7 @@ public async Task OnConnectionAsync(ConnectionContext context)`
`122`	`126`
`123`	`127`	`try`
`124`	`128`	`{`
`125`		`- using var cancellationTokenSource = new CancellationTokenSource(_options?.HandshakeTimeout ?? DefaultHandshakeTimeout);`
	`129`	`+ using var cancellationTokenSource = new CancellationTokenSource(_handshakeTimeout);`
`126`	`130`	`if (_httpsOptionsCallback is null)`
`127`	`131`	`{`
`128`	`132`	`await DoOptionsBasedHandshakeAsync(context, sslStream, feature, cancellationTokenSource.Token);`
`@@ -255,9 +259,6 @@ internal static void ConfigureAlpn(SslServerAuthenticationOptions serverOptions,`
`255`	`259`	`}`
`256`	`260`	`}`
`257`	`261`
`258`		`- private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>`
`259`		`- RemoteCertificateValidationCallback(_options.ClientCertificateMode, _options.ClientCertificateValidation, certificate, chain, sslPolicyErrors);`
`260`		`-`
`261`	`262`	`internal static bool RemoteCertificateValidationCallback(`
`262`	`263`	`ClientCertificateMode clientCertificateMode,`
`263`	`264`	`Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> clientCertificateValidation,`
`@@ -295,6 +296,9 @@ internal static bool RemoteCertificateValidationCallback(`
`295`	`296`	`return true;`
`296`	`297`	`}`
`297`	`298`
	`299`	`+ private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>`
	`300`	`+ RemoteCertificateValidationCallback(_options.ClientCertificateMode, _options.ClientCertificateValidation, certificate, chain, sslPolicyErrors);`
	`301`	`+`
`298`	`302`	`private SslDuplexPipe CreateSslDuplexPipe(IDuplexPipe transport, MemoryPool<byte> memoryPool)`
`299`	`303`	`{`
`300`	`304`	`var inputPipeOptions = new StreamPipeReaderOptions`
`@@ -366,12 +370,12 @@ internal static HttpProtocols ValidateAndNormalizeHttpProtocols(HttpProtocols ht`
`366`	`370`	`{`
`367`	`371`	`throw new NotSupportedException(CoreStrings.Http2NoTlsOsx);`
`368`	`372`	`}`
`369`		`- else if (IsWindowsVersionIncompatible())`
	`373`	`+ else if (_isWindowsVersionIncompatible)`
`370`	`374`	`{`
`371`	`375`	`throw new NotSupportedException(CoreStrings.Http2NoTlsWin81);`
`372`	`376`	`}`
`373`	`377`	`}`
`374`		`- else if (httpProtocols == HttpProtocols.Http1AndHttp2 && IsWindowsVersionIncompatible())`
	`378`	`+ else if (httpProtocols == HttpProtocols.Http1AndHttp2 && _isWindowsVersionIncompatible)`
`375`	`379`	`{`
`376`	`380`	`logger.Http2DefaultCiphersInsufficient();`
`377`	`381`	`return HttpProtocols.Http1;`