mTLS: Flow SNI HostName, add NegotiatedCipherSuite

src/Orleans.Connections.Security/Security/ITlsHandshakeFeature.cs

@@ -1,3 +1,5 @@
+using System;
+using System.Net.Security;
 using System.Security.Authentication;
 
 namespace Orleans.Connections.Security
@@ -6,16 +8,44 @@ public interface ITlsHandshakeFeature
     {
         SslProtocols Protocol { get; }
 
+        /// <summary>
+        /// Gets the <see cref="TlsCipherSuite"/>.
+        /// </summary>
+        TlsCipherSuite? NegotiatedCipherSuite => null;
+
+        /// <summary>
+        /// Gets the host name from the "server_name" (SNI) extension of the client hello if present.
+        /// </summary>
+        string HostName => string.Empty;
+
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         CipherAlgorithmType CipherAlgorithm { get; }
 
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         int CipherStrength { get; }
 
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         HashAlgorithmType HashAlgorithm { get; }
 
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         int HashStrength { get; }
 
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         ExchangeAlgorithmType KeyExchangeAlgorithm { get; }
 
+#if NET10_0_OR_GREATER
+        [Obsolete("KeyExchangeAlgorithm, KeyExchangeStrength, CipherAlgorithm, CipherStrength, HashAlgorithm and HashStrength properties are obsolete. Use NegotiatedCipherSuite instead.", DiagnosticId = "SYSLIB0058", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
+#endif
         int KeyExchangeStrength { get; }
     }
 }

src/Orleans.Connections.Security/Security/TlsClientConnectionMiddleware.cs

@@ -159,12 +159,19 @@ private async Task InnerOnConnectionAsync(ConnectionContext context)
             context.Features.Set<ITlsApplicationProtocolFeature>(feature);
             feature.LocalCertificate = ConvertToX509Certificate2(sslStream.LocalCertificate);
             feature.RemoteCertificate = ConvertToX509Certificate2(sslStream.RemoteCertificate);
+            feature.NegotiatedCipherSuite = sslStream.NegotiatedCipherSuite;
+#if NET10_0_OR_GREATER
+#pragma warning disable SYSLIB0058
+#endif
             feature.CipherAlgorithm = sslStream.CipherAlgorithm;
             feature.CipherStrength = sslStream.CipherStrength;
             feature.HashAlgorithm = sslStream.HashAlgorithm;
             feature.HashStrength = sslStream.HashStrength;
             feature.KeyExchangeAlgorithm = sslStream.KeyExchangeAlgorithm;
             feature.KeyExchangeStrength = sslStream.KeyExchangeStrength;
+#if NET10_0_OR_GREATER
+#pragma warning restore SYSLIB0058
+#endif
             feature.Protocol = sslStream.SslProtocol;
 
             var originalTransport = context.Transport;

src/Orleans.Connections.Security/Security/TlsConnectionFeature.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
@@ -16,6 +17,13 @@ internal class TlsConnectionFeature : ITlsConnectionFeature, ITlsApplicationProt
 
         public SslProtocols Protocol { get; set; }
 
+        public TlsCipherSuite? NegotiatedCipherSuite { get; set; }
+
+        public string HostName { get; set; } = string.Empty;
+
+#if NET10_0_OR_GREATER
+#pragma warning disable SYSLIB0058
+#endif
         public CipherAlgorithmType CipherAlgorithm { get; set; }
 
         public int CipherStrength { get; set; }
@@ -27,6 +35,9 @@ internal class TlsConnectionFeature : ITlsConnectionFeature, ITlsApplicationProt
         public ExchangeAlgorithmType KeyExchangeAlgorithm { get; set; }
 
         public int KeyExchangeStrength { get; set; }
+#if NET10_0_OR_GREATER
+#pragma warning restore SYSLIB0058
+#endif
 
         public Task<X509Certificate2> GetRemoteCertificateAsync(CancellationToken cancellationToken)
         {

src/Orleans.Connections.Security/Security/TlsOptions.cs

@@ -93,6 +93,7 @@ public void AllowAnyRemoteCertificate()
         /// <summary>
         /// Provides direct configuration of the <see cref="TlsClientAuthenticationOptions"/> on a per-connection basis.
         /// This is called after all of the other settings have already been applied.
+        /// Use this to set the target host name for SNI (Server Name Indication) via <see cref="TlsClientAuthenticationOptions.TargetHost"/>.
         /// </summary>
         public Action<ConnectionContext, TlsClientAuthenticationOptions> OnAuthenticateAsClient { get; set; }
 

src/Orleans.Connections.Security/Security/TlsServerConnectionMiddleware.cs

@@ -138,6 +138,7 @@ private async Task InnerOnConnectionAsync(ConnectionContext context)
                     {
                         selector = (sender, name) =>
                         {
+                            feature.HostName = name ?? string.Empty;
                             context.Features.Set(sslStream);
                             var cert = _certificateSelector(context, name);
                             if (cert != null)
@@ -148,10 +149,19 @@ private async Task InnerOnConnectionAsync(ConnectionContext context)
                             return cert;
                         };
                     }
+                    else if (_certificate != null)
+                    {
+                        // Even with a fixed certificate, we still want to capture the SNI hostname
+                        selector = (sender, name) =>
+                        {
+                            feature.HostName = name ?? string.Empty;
+                            return _certificate;
+                        };
+                    }
 
                     var sslOptions = new TlsServerAuthenticationOptions
                     {
-                        ServerCertificate = _certificate,
+                        ServerCertificate = selector == null ? _certificate : null,
                         ServerCertificateSelectionCallback = selector,
                         ClientCertificateRequired = certificateRequired,
                         EnabledSslProtocols = _options.SslProtocols,
@@ -181,12 +191,19 @@ private async Task InnerOnConnectionAsync(ConnectionContext context)
             context.Features.Set<ITlsApplicationProtocolFeature>(feature);
             feature.LocalCertificate = ConvertToX509Certificate2(sslStream.LocalCertificate);
             feature.RemoteCertificate = ConvertToX509Certificate2(sslStream.RemoteCertificate);
+            feature.NegotiatedCipherSuite = sslStream.NegotiatedCipherSuite;
+#if NET10_0_OR_GREATER
+#pragma warning disable SYSLIB0058
+#endif
             feature.CipherAlgorithm = sslStream.CipherAlgorithm;
             feature.CipherStrength = sslStream.CipherStrength;
             feature.HashAlgorithm = sslStream.HashAlgorithm;
             feature.HashStrength = sslStream.HashStrength;
             feature.KeyExchangeAlgorithm = sslStream.KeyExchangeAlgorithm;
             feature.KeyExchangeStrength = sslStream.KeyExchangeStrength;
+#if NET10_0_OR_GREATER
+#pragma warning restore SYSLIB0058
+#endif
             feature.Protocol = sslStream.SslProtocol;
 
             var originalTransport = context.Transport;