-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Closed
Labels
api-approvedAPI was approved in API review, it can be implementedAPI was approved in API review, it can be implementedarea-System.Net.Security
Milestone
Description
Rationale
The SNI extension allows for multiple hostnames to be served from a single IP address/port combo. This is needed for Kestrel to be able to be a true web facing internet server using TLS.
The client side already supports sending a hostname so requires no change. The serverside should have a callback that gives the correct certificate/chain depending on a host name or returns null if none are available.
If no certificate is returned the handshake should fail.
This requires the ALPN Api to be completed first.
API Shape
namespace System.Net.Security {
public class SslServerAuthenticationOptions
{
public ServerCertificateSelectionCallback ServerCertificateSelectionCallback { get; set; }
}
public delegate System.Security.Cryptography.X509Certificates.X509Certificate ServerCertificateSelectionCallback(object sender, string hostName);
}
Additional API information:
- When host name could not be found the
hostName
value will benull
when callback is called hostName
will never be an empty string- When caller returns null certificate we will throw
AuthenticationException
Open questions:
ReadOnlySpan<byte>
vs.string
forhostName
- for server API it might be appropriate to make callback withReadOnlySpan<byte>
- this way server does not have to make two allocations on each request (1 for UTF8 conversion and 1 for IDN conversion) - server could potentially do conversion beforehand and then do byte compare - for client we chose hostName but in the client case it is less important and should be more user friendly- If we choose
ReadOnlySpan<byte>
, should we add API to convert tostring
? (and where)
- If we choose
References
ALPN/Optionbag Dependent issue #23157 and PR dotnet/corefx#24389
/cc @Priya91 @Tratcher @geoffkizer @benaadams
EDIT (@krwq): updated API proposal, added open questions
dasMulliiamcarbon
Metadata
Metadata
Assignees
Labels
api-approvedAPI was approved in API review, it can be implementedAPI was approved in API review, it can be implementedarea-System.Net.Security