Skip to content

feat(HTTP.SYS): on-demand TLS client hello retrieval #62209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(HTTP.SYS): on-demand TLS client hello retrieval #62209

wants to merge 6 commits into from
+130 −467

Conversation

DeagleGross
Copy link
Member

HTTP.SYS only on-demand TLS client hello

As discussed in api proposal we are doing 2 things here:

  1. removing previous "callback" API HttpSysOptions.TlsClientHelloBytesCallback
  2. implementing an on-demand request of TlsClientHello via win API. It is done by exposing a method on a new feature interface IHttpSysRequestPropertiesFeature: IHttpSysRequestPropertiesFeature.TryGetTlsClientHello.

TlsFeaturesObserve.Program sample shows the usage of that feature and this API in particular:

app.Use(async (context, next) =>
{
    var connectionFeature = context.Features.GetRequiredFeature<IHttpConnectionFeature>();
    var httpSysPropFeature = context.Features.GetRequiredFeature<IHttpSysRequestPropertyFeature>();

    // first time invocation to find out required size
    var success = httpSysPropFeature.TryGetTlsClientHello(Array.Empty<byte>(), out var bytesReturned);
    Debug.Assert(!success);
    Debug.Assert(bytesReturned > 0);

    // rent with enough memory span and invoke
    var bytes = ArrayPool<byte>.Shared.Rent(bytesReturned);
    success = httpSysPropFeature.TryGetTlsClientHello(bytes, out _);
    Debug.Assert(success);

    await context.Response.WriteAsync($"[Response] connectionId={connectionFeature.ConnectionId}; tlsClientHello.length={bytesReturned}; tlsclienthello start={string.Join(' ', bytes.AsSpan(0, 30).ToArray())}");
    await next(context);
});

Implements #61625

@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Jun 2, 2025
@build-analysis build-analysis bot mentioned this pull request Jun 2, 2025
Open
halter73
halter73 approved these changes Jun 2, 2025
View reviewed changes
BrennanConroy
BrennanConroy reviewed Jun 3, 2025
View reviewed changes
src/Http/Http.Features/src/IHttpSysRequestPropertyFeature.cs Outdated
public interface IHttpSysRequestPropertyFeature
{
/// <summary>
/// Reads the TLS client hello from HTTP.SYS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdykstra for docs pass?

BrennanConroy
BrennanConroy reviewed Jun 4, 2025
View reviewed changes
tdykstra
tdykstra approved these changes Jun 5, 2025
View reviewed changes
Copy link
Contributor

@tdykstra tdykstra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just A few nits.

src/Servers/HttpSys/src/IHttpSysRequestPropertyFeature.cs
/// <summary>
/// Reads the TLS client hello from HTTP.SYS
/// </summary>
/// <param name="tlsClientHelloBytesDestination">Where the raw bytes of the TLS Client Hello message will be written.</param>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid future tense per the style guide.

Suggested change
/// <param name="tlsClientHelloBytesDestination">Where the raw bytes of the TLS Client Hello message will be written.</param>
/// <param name="tlsClientHelloBytesDestination">Where the raw bytes of the TLS Client Hello message are written.</param>

src/Servers/HttpSys/src/RequestProcessing/RequestContext.cs
}
finally

// if buffer supplied is too small, `bytesReturned` will have proper size
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// if buffer supplied is too small, `bytesReturned` will have proper size
// if buffer supplied is too small, `bytesReturned` has proper size

src/Servers/HttpSys/src/IHttpSysRequestPropertyFeature.cs
/// </remarks>
/// <returns>
/// True, if fetching TLS client hello was successful, false if <paramref name="tlsClientHelloBytesDestination"/> size is not large enough.
/// If non-successful for other reason throws an exception.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// If non-successful for other reason throws an exception.
/// If unsuccessful for other reason throws an exception.

tdykstra

This comment was marked as duplicate.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 halter73 approved these changes

@tdykstra tdykstra tdykstra approved these changes

@BrennanConroy BrennanConroy BrennanConroy left review comments

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

@mgravell mgravell Awaiting requested review from mgravell mgravell is a code owner

@captainsafia captainsafia Awaiting requested review from captainsafia

Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions feature-httpsys
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@DeagleGross @halter73 @tdykstra @BrennanConroy @gfoidl