Solidify fallback logic

Author: halter73

src/Servers/Kestrel/Core/src/Internal/SniOptions.cs

@@ -0,0 +1,36 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Net.Security;
+
+namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
+{
+    internal class SniOptions
+    {
+        public SslServerAuthenticationOptions SslOptions { get; set; }
+        public HttpProtocols HttpProtocols { get; set; }
+
+        // TODO: Reflection based test to ensure we clone everything!
+        public SniOptions Clone()
+        {
+            return new SniOptions
+            {
+                SslOptions = new SslServerAuthenticationOptions
+                {
+                    AllowRenegotiation = SslOptions.AllowRenegotiation,
+                    ApplicationProtocols = SslOptions.ApplicationProtocols,
+                    CertificateRevocationCheckMode = SslOptions.CertificateRevocationCheckMode,
+                    CipherSuitesPolicy = SslOptions.CipherSuitesPolicy,
+                    ClientCertificateRequired = SslOptions.ClientCertificateRequired,
+                    EnabledSslProtocols = SslOptions.EnabledSslProtocols,
+                    EncryptionPolicy = SslOptions.EncryptionPolicy,
+                    RemoteCertificateValidationCallback = SslOptions.RemoteCertificateValidationCallback,
+                    ServerCertificate = SslOptions.ServerCertificate,
+                    ServerCertificateContext = SslOptions.ServerCertificateContext,
+                    ServerCertificateSelectionCallback = SslOptions.ServerCertificateSelectionCallback,
+                },
+                HttpProtocols = HttpProtocols,
+            };
+        }
+    }
+}

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -3,8 +3,11 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Net.Security;
 using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 using Microsoft.Extensions.Logging;
@@ -17,9 +20,13 @@ internal class SniOptionsSelector
         private const string wildcardPrefix = "*.";
 
         private readonly string _endpointName;
-        private readonly Dictionary<string, SslServerAuthenticationOptions> _fullNameOptions = new Dictionary<string, SslServerAuthenticationOptions>(StringComparer.OrdinalIgnoreCase);
-        private readonly List<(string, SslServerAuthenticationOptions)> _wildcardPrefixOptions = new List<(string, SslServerAuthenticationOptions)>();
-        private readonly SslServerAuthenticationOptions _wildcardHostOptions = null;
+
+        private readonly Func<ConnectionContext, string, X509Certificate2> _fallbackServerCertificateSelector;
+        private readonly Action<ConnectionContext, SslServerAuthenticationOptions> _onAuthenticateCallback;
+
+        private readonly Dictionary<string, SniOptions> _fullNameOptions = new Dictionary<string, SniOptions>(StringComparer.OrdinalIgnoreCase);
+        private readonly List<(string, SniOptions)> _wildcardPrefixOptions = new List<(string, SniOptions)>();
+        private readonly SniOptions _wildcardHostOptions = null;
 
         public SniOptionsSelector(
             KestrelConfigurationLoader configLoader,
@@ -30,24 +37,30 @@ public SniOptionsSelector(
         {
             _endpointName = endpointConfig.Name;
 
+            _fallbackServerCertificateSelector = fallbackOptions.ServerCertificateSelector;
+            _onAuthenticateCallback = fallbackOptions.OnAuthenticate;
+
             foreach (var (name, sniConfig) in endpointConfig.SNI)
             {
-                var sslServerOptions = new SslServerAuthenticationOptions();
-
-                sslServerOptions.ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name);
-
-                if (sslServerOptions.ServerCertificate is null &&
-                    fallbackOptions.ServerCertificate is null &&
-                    fallbackOptions.ServerCertificateSelector is null)
+                var sslServerOptions = new SslServerAuthenticationOptions
                 {
-                    throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
-                }
+                    ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name),
+                    EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols,
+                };
 
-                sslServerOptions.EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols;
+                if (sslServerOptions.ServerCertificate is null)
+                {
+                    if (fallbackOptions.ServerCertificate is null && fallbackOptions.ServerCertificateSelector is null)
+                    {
+                        throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
+                    }
 
-                var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
-                httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
-                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, httpProtocols);
+                    if (fallbackOptions.ServerCertificateSelector is null)
+                    {
+                        // Cache the fallback ServerCertificate since there's no fallback ServerCertificateSelector taking precedence. 
+                        sslServerOptions.ServerCertificate = fallbackOptions.ServerCertificate;
+                    }
+                }
 
                 var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackOptions.ClientCertificateMode;
 
@@ -59,24 +72,34 @@ fallbackOptions.ServerCertificate is null &&
                             clientCertificateMode, fallbackOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
                 }
 
+                var httpProtocols = sniConfig.Protocols ?? fallbackHttpProtocols;
+                httpProtocols = HttpsConnectionMiddleware.ValidateAndNormalizeHttpProtocols(httpProtocols, logger);
+                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, httpProtocols);
+
+                var sniOptions = new SniOptions
+                {
+                    SslOptions = sslServerOptions,
+                    HttpProtocols = httpProtocols,
+                };
+
                 if (name.Equals(wildcardHost, StringComparison.Ordinal))
                 {
-                    _wildcardHostOptions = sslServerOptions;
+                    _wildcardHostOptions = sniOptions;
                 }
                 else if (name.StartsWith(wildcardPrefix, StringComparison.Ordinal))
                 {
-                    _wildcardPrefixOptions.Add((name, sslServerOptions));
+                    _wildcardPrefixOptions.Add((name, sniOptions));
                 }
                 else
                 {
-                    _fullNameOptions[name] = sslServerOptions;
+                    _fullNameOptions[name] = sniOptions;
                 }
             }
         }
 
-        public SslServerAuthenticationOptions GetOptions(string serverName)
+        public SniOptions GetOptions(ConnectionContext connection, string serverName)
         {
-            SslServerAuthenticationOptions options = null;
+            SniOptions options = null;
 
             if (!string.IsNullOrEmpty(serverName))
             {
@@ -116,6 +139,25 @@ public SslServerAuthenticationOptions GetOptions(string serverName)
                 }
             }
 
+            if (options.SslOptions.ServerCertificate is null)
+            {
+                Debug.Assert(_fallbackServerCertificateSelector != null,
+                    "The cached SniOptions ServerCertificate can only be null if there's a fallback certificate selector.");
+
+                // If a ServerCertificateSelector passed into HttpsConnectionMiddleware via HttpsConnectionAdapterOptions doesn't return a cert,
+                // HttpsConnectionMiddleware doesn't fallback to the ServerCertificate, so we don't do that here either.
+                options = options.Clone();
+                options.SslOptions.ServerCertificate = _fallbackServerCertificateSelector(connection, serverName);
+            }
+
+            if (_onAuthenticateCallback != null)
+            {
+                options = options.Clone();
+
+                // From doc comments: "This is called after all of the other settings have already been applied."
+                _onAuthenticateCallback(connection, options.SslOptions);
+            }    
+
             return options;
         }
     }

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -14,6 +14,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Certificates.Generation;
+using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal;
@@ -371,11 +372,11 @@ public void Load()
             return (endpointsToStop, endpointsToStart);
         }
 
-        private static ValueTask<SslServerAuthenticationOptions> ServerOptionsSelectionCallback(SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
+        private static ValueTask<SslServerAuthenticationOptions> ServerOptionsSelectionCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
         {
             var sniOptionsSelector = (SniOptionsSelector)state;
-            var options = sniOptionsSelector.GetOptions(clientHelloInfo.ServerName);
-            return new ValueTask<SslServerAuthenticationOptions>(options);
+            var options = sniOptionsSelector.GetOptions(connection, clientHelloInfo.ServerName);
+            return new ValueTask<SslServerAuthenticationOptions>(options.SslOptions);
         }
 
         private void LoadDefaultCert(ConfigurationReader configReader)

src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs

@@ -233,17 +233,17 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConn
         /// Configure Kestrel to use HTTPS.
         /// </summary>
         /// <param name="listenOptions">The <see cref="ListenOptions"/> to configure.</param>
-        /// <param name="serverOptionsCallback">Callback to configure HTTPS options.</param>
+        /// <param name="httpsOptionsCallback">Callback to configure HTTPS options.</param>
         /// <param name="state">State for the <see cref="ServerOptionsSelectionCallback" />.</param>
         /// <returns>The <see cref="ListenOptions"/>.</returns>
-        internal static ListenOptions UseHttps(this ListenOptions listenOptions, ServerOptionsSelectionCallback serverOptionsCallback, object state = null)
+        internal static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsOptionsCallback httpsOptionsCallback, object state = null)
         {
             var loggerFactory = listenOptions.KestrelServerOptions?.ApplicationServices.GetRequiredService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
 
             listenOptions.IsTls = true;
             listenOptions.Use(next =>
             {
-                var middleware = new HttpsConnectionMiddleware(next, serverOptionsCallback, state, loggerFactory);
+                var middleware = new HttpsConnectionMiddleware(next, httpsOptionsCallback, state, loggerFactory);
                 return middleware.OnConnectionAsync;
             });
 

src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs

@@ -24,11 +24,14 @@
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
 {
+
+    internal delegate ValueTask<SslServerAuthenticationOptions> HttpsOptionsCallback(ConnectionContext connection, SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken);
+
     internal class HttpsConnectionMiddleware
     {
         private const string EnableWindows81Http2 = "Microsoft.AspNetCore.Server.Kestrel.EnableWindows81Http2";
 
-        internal static TimeSpan DefaultHandshakeTimeout = TimeSpan.FromSeconds(10);
+        internal static readonly TimeSpan DefaultHandshakeTimeout = TimeSpan.FromSeconds(10);
 
         private readonly ConnectionDelegate _next;
         private readonly ILogger _logger;
@@ -40,8 +43,9 @@ internal class HttpsConnectionMiddleware
         private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector;
 
         // The following fields are only set by ServerOptionsSelectionCallback ctor.
-        private readonly ServerOptionsSelectionCallback _serverOptionsSelectionCallback;
-        private readonly object _serverOptionsSelectionCallbackState;
+        // If we ever expose this via a public API, we should really create a delegate type.
+        private readonly HttpsOptionsCallback _httpsOptionsCallback;
+        private readonly object _httpsOptionsCallbackState;
 
         public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options)
           : this(next, options, loggerFactory: NullLoggerFactory.Instance)
@@ -88,14 +92,14 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
 
         internal HttpsConnectionMiddleware(
             ConnectionDelegate next,
-            ServerOptionsSelectionCallback serverOptionsSelectionCallback,
-            object serverOptionsSelectionCallbackState,
+            HttpsOptionsCallback httpsOptionsCallback,
+            object httpsOptionsCallbackState,
             ILoggerFactory loggerFactory)
         {
             _next = next;
             _logger = loggerFactory.CreateLogger<HttpsConnectionMiddleware>();
-            _serverOptionsSelectionCallback = serverOptionsSelectionCallback;
-            _serverOptionsSelectionCallbackState = serverOptionsSelectionCallbackState;
+            _httpsOptionsCallback = httpsOptionsCallback;
+            _httpsOptionsCallbackState = httpsOptionsCallbackState;
             _sslStreamFactory = s => new SslStream(s);
         }
 
@@ -119,7 +123,7 @@ public async Task OnConnectionAsync(ConnectionContext context)
             try
             {
                 using var cancellationTokenSource = new CancellationTokenSource(_options?.HandshakeTimeout ?? DefaultHandshakeTimeout);
-                if (_serverOptionsSelectionCallback is null)
+                if (_httpsOptionsCallback is null)
                 {
                     await DoOptionsBasedHandshakeAsync(context, sslStream, feature, cancellationTokenSource.Token);
                 }
@@ -316,7 +320,7 @@ private static async ValueTask<SslServerAuthenticationOptions> ServerOptionsCall
 
             feature.HostName = clientHelloInfo.ServerName;
 
-            var sslOptions = await middleware._serverOptionsSelectionCallback(stream, clientHelloInfo, middleware._serverOptionsSelectionCallbackState, cancellationToken);
+            var sslOptions = await middleware._httpsOptionsCallback(context, stream, clientHelloInfo, middleware._httpsOptionsCallbackState, cancellationToken);
 
             // REVIEW: Cache results? We don't do this for ServerCertificateSelectionCallback.
             if (sslOptions.ServerCertificate is X509Certificate2 cert)

src/Servers/Kestrel/samples/SampleApp/appsettings.Production.json

@@ -9,6 +9,7 @@
             "Protocols": "Http1"
           },
           "*": {
+            "SslProtocols":  [ "Tls12", "Tls13" ]
           }
         }
       }