-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP/3: QuicConnectionListener supports ServerOptionsSelectionCallback #49587
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsASP.NET Core allows you to configure a callback that creates Example use: serverOptions.ListenLocalhost(5001, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http3;
listenOptions.UseHttps((SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken) =>
{
return ValueTask.FromResult((new SslServerAuthenticationOptions()));
}, state: null);
}); Does this callback make sense with QUIC? SslStream would be null, but SslClientHelloInfo and state could still be used to customize auth options with QUIC.
|
Tagging subscribers to this area: @dotnet/ncl Issue DetailsASP.NET Core allows you to configure a callback that creates Example use: serverOptions.ListenLocalhost(5001, listenOptions =>
{
listenOptions.Protocols = HttpProtocols.Http3;
listenOptions.UseHttps((SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken) =>
{
return ValueTask.FromResult((new SslServerAuthenticationOptions()));
}, state: null);
}); Does this callback make sense with QUIC? SslStream would be null, but SslClientHelloInfo and state could still be used to customize auth options with QUIC.
|
@wfurt do you have more insights here? |
I think the msquic NEW_CONNECTION event, which is already used by runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicListener.cs Lines 160 to 205 in 31c28fc
I wonder if |
We think this is important to get done in .NET 7. |
There are several issue @adityamandaleeka. MsQuic needs ALPN before starting the Listener. The other part is API shape. This is more then property and the Listener concept is very different from single SslStream. There you can also pass state and cancellation but neither fist to the Listener. If we work out the API the details should be doable IMHO. |
Sounds good. For context, I left that message when we were triaging and prioritizing the issues in Future opened by us (aspnet). |
@adityamandaleeka we do not distinguish between Future and 7.0 yet. Once 6.0 is wrapped up, we will retriage and start making the distinction. |
MsQuic needs ALPN to start the listener, but nothing else from SslOptions. cc @JamesNK |
Can we fix this? I see no fundamental reason why QUIC would need ALPN upfront. |
The This is about functional parity with The callback: I assume this is something that would Kestrel use somewhere here: https://source.dot.net/#Microsoft.AspNetCore.Server.Kestrel.Core/Middleware/HttpsConnectionMiddleware.cs,507 runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/MsQuicListener.cs Lines 280 to 286 in 5906521
but it's doable. @JamesNK @Tratcher considering we cannot reuse the existing delegate (due to |
Being able to configure the SslServerAuthenticationOptions per connection with SNI input is a blocking requirement, though some properties are more important than others like ServerCertificate, ClientCertificateRequired, RemoteCertificateValidationCallback. We want to use the same kestrel configuration HTTP 1, 2, and 3. The main delegate in Kestrel we want to make work is: If you need a new delegate to replace ServerOptionsSelectionCallback that's ok, so long as we can adapt TlsHandshakeCallbackContext over both of them. |
Note that we have a working server certificate selection callback based on SNI (called for each new connection open). We're just lacking dynamic selection of all the other properties on |
No, we need more than just the server cert. The client cert options are almost as important. |
A way to reuse the existing delegate would be to make the @Tratcher Correct me if I'm wrong here but the most important parameter in this callback is the server name on If we make SslStream nullable and someone is using it then that will error if HTTP/3 starts happening on the endpoint. It would be good to understand if that is likely to impact anyone. |
I don't think any of the SslStream properties are even populated at this stage, I don't know why it's passed to the callback. Yes the ServerName is the most important. The sub protocols (ALPN) are useful. The other thing we get asked for is the local and remote IPs and ports. That's why we had to create our own callback and flow the ConnectionContext.
That's how we're making some of the HTTP/3 scenarios work in 6, by invoking the callback ourselves with a null stream or connection context. |
For a reference, the callback API issue #37933
|
Conceptually, SslStream does not have visibility to transport since it depends on provided stream. I was thinking about ciphers or ALPN's but we would need some list/array and would need to allocate more. Since there was no specific ask I was not sure if it is worth of the trouble since the basic info seem sufficient. (so far) Now, that callback may be fixable. |
Closing as covered by #67560 |
ASP.NET Core allows you to configure a callback that creates
SslServerAuthenticationOptions
when a TLS handshake happens. This is done using the ServerOptionsSelectionCallback delegate.Example use:
Does this callback make sense with QUIC? SslStream would be null, but SslClientHelloInfo and state could still be used to customize auth options with QUIC.
The text was updated successfully, but these errors were encountered: