Support specifying a full certificate chain in HttpsConnectionAdapterOptions #21513
Comments
|
Moving this to RC2, since the PR isn't ready yet, and we're out of time for RC1 |
|
Thanks for contacting us. |
jkotalik
added
affected-very-few
|
Closed PR #24935 (lack of tests) |
davidfowl
added
the
api-ready-for-review
|
@davidfowl it'll be handier to review the PR. So not reviewing this yet. |
pranavkm
added
api-approved
|
Is this issue closed ? |
|
Hah no. I emailed you the instructions at one point. Not sure where they are now to be honest. |
|
Did you do it purely with an openssl configuration? |
|
Love it! This will simplify a lot our use case where we generate dynamic certificates at schedule time with Vault and have a few intermediates in the bundle that need to be sent over as well. |
|
@davidfowl, if having a test CA chain is a blocker then you can easily generate one with the help of HashiCorp Vault API. Just follow the steps from here and assume that:
You can have as many intermediates as you want. |
|
@Tratcher, thanks so much! Fixed and released the NuGet package TlsCertificateLoader 1.0.4 with working refresh :) |
options.ListenAnyIp(433, o =>
{
o.SetTlsHandshakeCallbackOptions(fullChainPath, privateKeyPath);
o.SetHttpsConnectionAdapterOptions(fullChainPath, privateKeyPath);
o.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
});Only the first call to UseHttps() should have any impact. I don't think I'd consider removing SetHttpsConnectionAdapterOptions. The TlsHandshakeCallbackOptions UseHttps() overload should be preferred wherever possible. |
With all due respect, this is incorrect. It didn't work on 6.0rc2 and I thought maybe you're right and they fixed it for 6.0 so let me revisit it on my 6.0 app and tried to disable SetHttpsConnectionAdapterOptions. The site wouldn't load and was giving a ERR_QUIC_PROTOCOL_ERROR. You absolutely need both lines if you want to use HTTP/3, at least on my environment (Ubuntu). Haven't tested on Windows, but if you want portable code anyway.... The library has been rewritten As far as I can tell, it's the only one that allows you to load a full chain HTTP/3 site on Kestrel. The only thing you can't do, and I'm not convinced is possible by Kestrel, is to load multiple certificates and serve the appropriate one depending on the hostname. For example serving a certificate for mydomain.tld and a different one for www.mydomain.tld or myotherdomain.tld. HttpsConnectionAdapterOptions allows you that flexibility but TlsHandshakeCallbackOptions doesn't seem like it does, and you absolutely need the latter because the former doesn't allow the full chain anyway. |
|
Yeah, HTTP/3 is a special case because some of the callbacks don't work yet.
This is possible. The TlsHandshakeCallbackOptions.OnConnection callback gives you a TlsHandshakeCallbackContext. That has the SslClientHelloInfo on it with the ServerName. |
|
But how would you go about putting logic there so it picks up the
appropriate certificate collection from a dictionary?
…On Thu, 11 Nov 2021, 18:08 Chris Ross, ***@***.***> wrote:
Yeah, HTTP/3 is a special case because some of the callbacks don't work
yet.
The only thing you can't do, and I'm not convinced is possible by Kestrel,
is to load multiple certificates and serve the appropriate one depending on
the hostname. For example serving a certificate for mydomain.tld and a
different one for www.mydomain.tld or myotherdomain.tld.
HttpsConnectionAdapterOptions allows you that flexibility but
TlsHandshakeCallbackOptions doesn't seem like it does, and you absolutely
need the latter because the former doesn't allow the full chain anyway.
This is possible. The TlsHandshakeCallbackOptions.OnConnection callback
gives you a TlsHandshakeCallbackContext. That has the SslClientHelloInfo on
it with the ServerName.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#21513 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF7U7YDSLLLYCHZRSC4XPITULP2BZANCNFSM4MZ4T4DQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Cheers, released version 1.1.0 which handles additional certificates for different hostnames. https://github.com/MarkCiliaVincenti/TlsCertificateLoader |
|
I've made some big changes to TlsCertificateLoader. I've now added middleware for Certbot certificates. https://github.com/MarkCiliaVincenti/TlsCertificateLoader |
|
Why is it 2 method calls? |
|
What do you mean?
…On Sat, 27 Nov 2021, 16:24 David Fowler, ***@***.***> wrote:
Why is it 2 method calls?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#21513 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF7U7YBP5VLILZEQM5NSWMDUODZ2BANCNFSM4MZ4T4DQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
These 3 calls. It's not clear to me which calls are required. I see AddTlsCertificateLoader, UseTlsCertificateLoader, and the middleware (UseTlsCertificateLoader). The middleware doesn't seem like something usable in an existing application (https://github.com/MarkCiliaVincenti/TlsCertificateLoader/blob/377ff452f1bbf1d835a233534be4a4286f6d7248/TlsCertificateLoader/Extensions/TlsCertificateLoaderMiddlewareExtensions.cs#L107-L146), it kinda assumes it can add these middlewares to an existing pipeline without consequence. |
|
I understand what you mean and later I will make the library more flexible
because currently it does the following:
- enable HSTS (only this is configurable)
- enable static files (needed to use with Certbot webroot)
- redirect HTTP traffic to HTTPS
- redirect www.mydomain.tld traffic to mydomain.tld (definitely next in
line to be configurable)
Of course, one can also do without the middleware as per the other sample
and have more control. The most important thing is that this is the only
library I found that allows you to use HTTP/3 with Kestrel on Ubuntu with
fully valid SSL.
…On Sun, 28 Nov 2021, 01:33 David Fowler, ***@***.***> wrote:
These 3 calls. It's not clear to me which calls are required. I see
AddTlsCertificateLoader, UseTlsCertificateLoader, and the middleware
(UseTlsCertificateLoader). The middleware doesn't seem like something
usable in an existing application (
https://github.com/MarkCiliaVincenti/TlsCertificateLoader/blob/377ff452f1bbf1d835a233534be4a4286f6d7248/TlsCertificateLoader/Extensions/TlsCertificateLoaderMiddlewareExtensions.cs#L107-L146),
it kinda assumes it can add these middlewares to an existing pipeline
without consequence.
https://github.com/MarkCiliaVincenti/TlsCertificateLoader/blob/e5f4fc31f1f29b3c5bf084aa04a0736cbc78b69d/Samples/CertbotSampleUsingMiddleware/Program.cs#L8-L10
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#21513 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF7U7YA5AERGRI27OV7PTO3UOF2ERANCNFSM4MZ4T4DQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
HaoK
added
Done
ghost
locked as resolved and limited conversation to collaborators
amcasey
added
area-networking
public class HttpsConnectionAdapterOptions { public X509Certificate2 ServerCertificate { get; set; } + public X509Certificate2Collection ServerCertificateChain { get; set; } }Configuration:
For configuration, we'll support the full cert chain in Path:
// "CertificateName": { // "Path": "testCert.pem/pfx", // "KeyPath": "key.pem",This depends on dotnet/runtime#35844
The text was updated successfully, but these errors were encountered: