Use default CertificateRevocationCheckMode for SNI endpoints

halter73 · halter73 · commit 95352fe30235 · 2020-07-30T10:50:10.000-07:00
diff --git a/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs b/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
@@ -45,18 +45,19 @@ public SniOptionsSelector(
             {
                 var sslOptions = new SslServerAuthenticationOptions
                 {
-                    ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name),
+                    ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, $"{endpointConfig.Name}:SNI:{name}"),
                     EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols,
+                    CertificateRevocationCheckMode = fallbackOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
                 };
 
                 if (sslOptions.ServerCertificate is null)
                 {
-                    if (fallbackOptions.ServerCertificate is null && fallbackOptions.ServerCertificateSelector is null)
+                    if (fallbackOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)
                     {
                         throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
                     }
 
-                    if (fallbackOptions.ServerCertificateSelector is null)
+                    if (_fallbackServerCertificateSelector is null)
                     {
                         // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence. 
                         sslOptions.ServerCertificate = fallbackOptions.ServerCertificate;
@@ -138,9 +139,8 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s
 
             if (_onAuthenticateCallback != null)
             {
-                sslOptions = CloneSslOptions(sslOptions);
-
                 // From doc comments: "This is called after all of the other settings have already been applied."
+                sslOptions = CloneSslOptions(sslOptions);
                 _onAuthenticateCallback(connection, sslOptions);
             }
 
@@ -158,8 +158,8 @@ private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sni
             {
                 ReadOnlySpan<char> nameCandidateSpan = nameCandidate;
 
-                // Note that we only slice off the `*`. We want to match the leading `.` also.
-                if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(wildcardHost.Length), StringComparison.OrdinalIgnoreCase) &&
+                // Only slice off 1 character, the `*`. We want to match the leading `.` also.
+                if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(1), StringComparison.OrdinalIgnoreCase) &&
                     nameCandidateSpan.Length > matchedNameLength)
                 {
                     matchedNameLength = nameCandidateSpan.Length;
@@ -171,6 +171,8 @@ private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sni
         }
 
         // TODO: Reflection based test to ensure we clone everything!
+        // This won't catch issues related to mutable subproperties, but the existing subproperties look like they're mosly immutable.
+        // The exception are the ApplicationProtocols list which we clone and the ServerCertificate because of methods like Import() and Reset() :(
         internal static SslServerAuthenticationOptions CloneSslOptions(SslServerAuthenticationOptions sslOptions) =>
             new SslServerAuthenticationOptions
             {

Original file line number	Diff line number	Diff line change
`@@ -45,18 +45,19 @@ public SniOptionsSelector(`
`45`	`45`	`{`
`46`	`46`	`var sslOptions = new SslServerAuthenticationOptions`
`47`	`47`	`{`
`48`		`- ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name),`
	`48`	`+ ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, $"{endpointConfig.Name}:SNI:{name}"),`
`49`	`49`	`EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols,`
	`50`	`+ CertificateRevocationCheckMode = fallbackOptions.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,`
`50`	`51`	`};`
`51`	`52`
`52`	`53`	`if (sslOptions.ServerCertificate is null)`
`53`	`54`	`{`
`54`		`- if (fallbackOptions.ServerCertificate is null && fallbackOptions.ServerCertificateSelector is null)`
	`55`	`+ if (fallbackOptions.ServerCertificate is null && _fallbackServerCertificateSelector is null)`
`55`	`56`	`{`
`56`	`57`	`throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);`
`57`	`58`	`}`
`58`	`59`
`59`		`- if (fallbackOptions.ServerCertificateSelector is null)`
	`60`	`+ if (_fallbackServerCertificateSelector is null)`
`60`	`61`	`{`
`61`	`62`	`// Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence.`
`62`	`63`	`sslOptions.ServerCertificate = fallbackOptions.ServerCertificate;`
`@@ -138,9 +139,8 @@ public SslServerAuthenticationOptions GetOptions(ConnectionContext connection, s`
`138`	`139`
`139`	`140`	`if (_onAuthenticateCallback != null)`
`140`	`141`	`{`
`141`		`- sslOptions = CloneSslOptions(sslOptions);`
`142`		`-`
`143`	`142`	`// From doc comments: "This is called after all of the other settings have already been applied."`
	`143`	`+ sslOptions = CloneSslOptions(sslOptions);`
`144`	`144`	`_onAuthenticateCallback(connection, sslOptions);`
`145`	`145`	`}`
`146`	`146`
`@@ -158,8 +158,8 @@ private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sni`
`158`	`158`	`{`
`159`	`159`	`ReadOnlySpan<char> nameCandidateSpan = nameCandidate;`
`160`	`160`
`161`		- // Note that we only slice off the `*`. We want to match the leading `.` also.
`162`		`- if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(wildcardHost.Length), StringComparison.OrdinalIgnoreCase) &&`
	`161`	+ // Only slice off 1 character, the `*`. We want to match the leading `.` also.
	`162`	`+ if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(1), StringComparison.OrdinalIgnoreCase) &&`
`163`	`163`	`nameCandidateSpan.Length > matchedNameLength)`
`164`	`164`	`{`
`165`	`165`	`matchedNameLength = nameCandidateSpan.Length;`
`@@ -171,6 +171,8 @@ private bool TryGetWildcardPrefixedOptions(string serverName, out SniOptions sni`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	`// TODO: Reflection based test to ensure we clone everything!`
	`174`	`+ // This won't catch issues related to mutable subproperties, but the existing subproperties look like they're mosly immutable.`
	`175`	`+ // The exception are the ApplicationProtocols list which we clone and the ServerCertificate because of methods like Import() and Reset() :(`
`174`	`176`	`internal static SslServerAuthenticationOptions CloneSslOptions(SslServerAuthenticationOptions sslOptions) =>`
`175`	`177`	`new SslServerAuthenticationOptions`
`176`	`178`	`{`