Minimal changes to support certificate chain-preloading at startup (#24934)

This commit is contained in:
David Fowler 2020-08-17 12:20:10 -07:00 committed by GitHub
parent fec96f2165
commit e0413903e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 3 deletions

View File

@ -68,6 +68,13 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
} }
} }
if (sslOptions.ServerCertificate != null)
{
// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
// made to the server
sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
}
if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2) if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
{ {
HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2); HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);

View File

@ -39,6 +39,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
// The following fields are only set by HttpsConnectionAdapterOptions ctor. // The following fields are only set by HttpsConnectionAdapterOptions ctor.
private readonly HttpsConnectionAdapterOptions _options; private readonly HttpsConnectionAdapterOptions _options;
private readonly SslStreamCertificateContext _serverCertificateContext;
private readonly X509Certificate2 _serverCertificate; private readonly X509Certificate2 _serverCertificate;
private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector; private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector;
@ -89,6 +90,10 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
else else
{ {
EnsureCertificateIsAllowedForServerAuth(_serverCertificate); EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
// This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
// made to the server
_serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: null);
} }
var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ? var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?
@ -232,6 +237,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
var sslOptions = new SslServerAuthenticationOptions var sslOptions = new SslServerAuthenticationOptions
{ {
ServerCertificate = _serverCertificate, ServerCertificate = _serverCertificate,
ServerCertificateContext = _serverCertificateContext,
ServerCertificateSelectionCallback = selector, ServerCertificateSelectionCallback = selector,
ClientCertificateRequired = _options.ClientCertificateMode != ClientCertificateMode.NoCertificate, ClientCertificateRequired = _options.ClientCertificateMode != ClientCertificateMode.NoCertificate,
EnabledSslProtocols = _options.SslProtocols, EnabledSslProtocols = _options.SslProtocols,

View File

@ -385,10 +385,9 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Tests
{ {
{ "www.example.org", new SniConfig() } { "www.example.org", new SniConfig() }
}; };
var fallbackOptions = new HttpsConnectionAdapterOptions var fallbackOptions = new HttpsConnectionAdapterOptions
{ {
ServerCertificate = new X509Certificate2() ServerCertificate = new X509Certificate2(TestResources.GetCertPath("aspnetdevcert.pfx"), "testPassword")
}; };
var sniOptionsSelector = new SniOptionsSelector( var sniOptionsSelector = new SniOptionsSelector(
@ -761,7 +760,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Tests
return null; return null;
} }
var cert = new X509Certificate2(); var cert = TestResources.GetTestCertificate();
CertToPathDictionary.Add(cert, certInfo.Path); CertToPathDictionary.Add(cert, certInfo.Path);
return cert; return cert;
} }