From 810a302e668cdf4e9c4e70c42b928bc38877a2f9 Mon Sep 17 00:00:00 2001
From: "Chris Ross (ASP.NET)" <chrross@microsoft.com>
Date: Mon, 4 Jun 2018 09:51:00 -0700
Subject: [PATCH] Disable AllowRenegotiation for HTTP/2

---
 samples/Http2SampleApp/Http2SampleApp.csproj              | 4 ++--
 src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs       | 2 ++
 .../HttpsConnectionAdapterTests.cs                        | 8 ++++++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/samples/Http2SampleApp/Http2SampleApp.csproj b/samples/Http2SampleApp/Http2SampleApp.csproj
index 7a2f07145f..bba5c00453 100644
--- a/samples/Http2SampleApp/Http2SampleApp.csproj
+++ b/samples/Http2SampleApp/Http2SampleApp.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.2</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.2;net461</TargetFrameworks>
     <IsPackable>false</IsPackable>
     <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
   </PropertyGroup>
diff --git a/src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs b/src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs
index 4058635e68..24f97b0820 100644
--- a/src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs
+++ b/src/Kestrel.Core/Internal/HttpsConnectionAdapter.cs
@@ -158,6 +158,8 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
                 if ((_options.HttpProtocols & HttpProtocols.Http2) != 0)
                 {
                     sslOptions.ApplicationProtocols.Add(SslApplicationProtocol.Http2);
+                    // https://tools.ietf.org/html/rfc7540#section-9.2.1
+                    sslOptions.AllowRenegotiation = false;
                 }
 
                 if ((_options.HttpProtocols & HttpProtocols.Http1) != 0)
diff --git a/test/Kestrel.FunctionalTests/HttpsConnectionAdapterTests.cs b/test/Kestrel.FunctionalTests/HttpsConnectionAdapterTests.cs
index 7798820b10..87be49ccec 100644
--- a/test/Kestrel.FunctionalTests/HttpsConnectionAdapterTests.cs
+++ b/test/Kestrel.FunctionalTests/HttpsConnectionAdapterTests.cs
@@ -12,6 +12,7 @@ using System.Net.Sockets;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
@@ -345,11 +346,14 @@ namespace Microsoft.AspNetCore.Server.Kestrel.FunctionalTests
             }
         }
 
-        [Fact]
-        public async Task CertificatePassedToHttpContext()
+        [Theory]
+        [InlineData(HttpProtocols.Http1)]
+        [InlineData(HttpProtocols.Http1AndHttp2)] // Make sure Http/1.1 doesn't regress with Http/2 enabled.
+        public async Task CertificatePassedToHttpContext(HttpProtocols httpProtocols)
         {
             var listenOptions = new ListenOptions(new IPEndPoint(IPAddress.Loopback, 0))
             {
+                Protocols = httpProtocols,
                 ConnectionAdapters =
                 {
                     new HttpsConnectionAdapter(new HttpsConnectionAdapterOptions