Validate cached options on load

Author: halter73

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

@@ -124,7 +124,7 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig)
                 //         },
                 //         "ClientCertificateMode" : "NoCertificate"
                 //     },
-                //     "b.example.org": {
+                //     "*.example.org": {
                 //         "Certificate": {
                 //             "Path": "testCert2.pfx",
                 //             "Password": "testPassword"
@@ -219,7 +219,7 @@ internal class EndpointDefaults
     //             },
     //             "ClientCertificateMode" : "NoCertificate"
     //         },
-    //         "b.example.org": {
+    //         "*.example.org": {
     //             "Certificate": {
     //                 "Path": "testCert2.pfx",
     //                 "Password": "testPassword"

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -7,6 +7,7 @@
 using System.Security.Authentication;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
 {
@@ -24,7 +25,8 @@ public SniOptionsSelector(
             KestrelConfigurationLoader configLoader,
             EndpointConfig endpointConfig,
             HttpsConnectionAdapterOptions fallbackOptions,
-            HttpProtocols fallbackHttpProtocols)
+            HttpProtocols fallbackHttpProtocols,
+            ILogger logger)
         {
             _endpointName = endpointConfig.Name;
 
@@ -41,7 +43,10 @@ public SniOptionsSelector(
                 }
 
                 sslServerOptions.EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols;
-                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, sniConfig.Protocols ?? fallbackHttpProtocols);
+
+                var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
+                httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
+                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, httpProtocols);
 
                 var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackOptions.ClientCertificateMode;
 

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -318,7 +318,8 @@ public void Load()
                     }
                     else
                     {
-                        sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols);
+                        var logger = Options.ApplicationServices.GetRequiredService<ILogger<KestrelConfigurationLoader>>();
+                        sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols, logger);
                     }
                 }
 

src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs

@@ -58,23 +58,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
             _options = options;
             _logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();
 
-            // This configuration will always fail per-request, preemptively fail it here. See HttpConnection.SelectProtocol().
-            if (options.HttpProtocols == HttpProtocols.Http2)
-            {
-                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
-                {
-                    throw new NotSupportedException(CoreStrings.Http2NoTlsOsx);
-                }
-                else if (IsWindowsVersionIncompatible())
-                {
-                    throw new NotSupportedException(CoreStrings.Http2NoTlsWin81);
-                }
-            }
-            else if (options.HttpProtocols == HttpProtocols.Http1AndHttp2 && IsWindowsVersionIncompatible())
-            {
-                _logger.Http2DefaultCiphersInsufficient();
-                options.HttpProtocols = HttpProtocols.Http1;
-            }
+            _options.HttpProtocols = ValidateAndNormalizeHttpProtocols(_options.HttpProtocols, _logger);
 
             _next = next;
             // capture the certificate now so it can't be switched after validation
@@ -369,6 +353,29 @@ private static X509Certificate2 ConvertToX509Certificate2(X509Certificate certif
             return new X509Certificate2(certificate);
         }
 
+        internal static HttpProtocols ValidateAndNormalizeHttpProtocols(HttpProtocols httpProtocols, ILogger logger)
+        {
+            // This configuration will always fail per-request, preemptively fail it here. See HttpConnection.SelectProtocol().
+            if (httpProtocols == HttpProtocols.Http2)
+            {
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+                {
+                    throw new NotSupportedException(CoreStrings.Http2NoTlsOsx);
+                }
+                else if (IsWindowsVersionIncompatible())
+                {
+                    throw new NotSupportedException(CoreStrings.Http2NoTlsWin81);
+                }
+            }
+            else if (httpProtocols == HttpProtocols.Http1AndHttp2 && IsWindowsVersionIncompatible())
+            {
+                logger.Http2DefaultCiphersInsufficient();
+                return HttpProtocols.Http1;
+            }
+
+            return httpProtocols;
+        }
+
         private static bool IsWindowsVersionIncompatible()
         {
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))