Skip to content

SNI API for SslStream #23797

@Drawaes

Description

@Drawaes

Rationale

The SNI extension allows for multiple hostnames to be served from a single IP address/port combo. This is needed for Kestrel to be able to be a true web facing internet server using TLS.

The client side already supports sending a hostname so requires no change. The serverside should have a callback that gives the correct certificate/chain depending on a host name or returns null if none are available.

If no certificate is returned the handshake should fail.

This requires the ALPN Api to be completed first.

API Shape

namespace System.Net.Security {
public class SslServerAuthenticationOptions
{
    public ServerCertificateSelectionCallback ServerCertificateSelectionCallback { get; set; }
}

public delegate System.Security.Cryptography.X509Certificates.X509Certificate ServerCertificateSelectionCallback(object sender, string hostName);
}

Additional API information:

  • When host name could not be found the hostName value will be null when callback is called
  • hostName will never be an empty string
  • When caller returns null certificate we will throw AuthenticationException

Open questions:

  • ReadOnlySpan<byte> vs. string for hostName - for server API it might be appropriate to make callback with ReadOnlySpan<byte> - this way server does not have to make two allocations on each request (1 for UTF8 conversion and 1 for IDN conversion) - server could potentially do conversion beforehand and then do byte compare - for client we chose hostName but in the client case it is less important and should be more user friendly
    • If we choose ReadOnlySpan<byte>, should we add API to convert to string? (and where)

References

ALPN/Optionbag Dependent issue #23157 and PR dotnet/corefx#24389

/cc @Priya91 @Tratcher @geoffkizer @benaadams
EDIT (@krwq): updated API proposal, added open questions

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions