From 99f1db7bdc936217b17a1b28502f754be064a0e5 Mon Sep 17 00:00:00 2001
From: "Chris Ross (ASP.NET)" <chrross@microsoft.com>
Date: Tue, 19 Jun 2018 10:42:44 -0700
Subject: [PATCH] Add TLS Filter sample #2251

---
 samples/Http2SampleApp/Program.cs | 38 +++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/samples/Http2SampleApp/Program.cs b/samples/Http2SampleApp/Program.cs
index d0bef1d74b..ec75b652d1 100644
--- a/samples/Http2SampleApp/Program.cs
+++ b/samples/Http2SampleApp/Program.cs
@@ -1,8 +1,12 @@
 using System;
 using System.IO;
 using System.Net;
+using System.Security.Authentication;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Connections.Features;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
+using Microsoft.AspNetCore.Server.Kestrel.Core.Adapter.Internal;
 using Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.Internal;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
@@ -32,6 +36,7 @@ namespace Http2SampleApp
                         listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
                         listenOptions.UseHttps("testCert.pfx", "testPassword");
                         listenOptions.UseConnectionLogging();
+                        listenOptions.ConnectionAdapters.Add(new TlsFilterAdapter());
                     });
                 })
                 .UseContentRoot(Directory.GetCurrentDirectory())
@@ -39,5 +44,38 @@ namespace Http2SampleApp
 
             hostBuilder.Build().Run();
         }
+
+        // https://tools.ietf.org/html/rfc7540#appendix-A
+        // Allows filtering TLS handshakes on a per connection basis
+        private class TlsFilterAdapter : IConnectionAdapter
+        {
+            public bool IsHttps => false;
+
+            public Task<IAdaptedConnection> OnConnectionAsync(ConnectionAdapterContext context)
+            {
+                var tlsFeature = context.Features.Get<ITlsHandshakeFeature>();
+
+                if (tlsFeature.CipherAlgorithm == CipherAlgorithmType.Null)
+                {
+                    throw new NotSupportedException("Prohibited cipher: " + tlsFeature.CipherAlgorithm);
+                }
+
+                return Task.FromResult<IAdaptedConnection>(new AdaptedConnection(context.ConnectionStream));
+            }
+
+            private class AdaptedConnection : IAdaptedConnection
+            {
+                public AdaptedConnection(Stream adaptedStream)
+                {
+                    ConnectionStream = adaptedStream;
+                }
+
+                public Stream ConnectionStream { get; }
+
+                public void Dispose()
+                {
+                }
+            }
+        }
     }
 }