Minimal changes to support certificate chain-preloading at startup (#24934)

2020-08-17 12:20:10 -07:00 · 2020-08-17 12:20:10 -07:00 · e0413903e5
parent fec96f2165
commit e0413903e5
3 changed files with 15 additions and 3 deletions
--- a/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
+++ b/src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs
@ -68,6 +68,13 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
                    }
                }

+                if (sslOptions.ServerCertificate != null)
+                {
+                    // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
+                    // made to the server
+                    sslOptions.ServerCertificateContext = SslStreamCertificateContext.Create((X509Certificate2)sslOptions.ServerCertificate, additionalCertificates: null);
+                }
+
                if (!certifcateConfigLoader.IsTestMock && sslOptions.ServerCertificate is X509Certificate2 cert2)
                {
                    HttpsConnectionMiddleware.EnsureCertificateIsAllowedForServerAuth(cert2);
--- a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
+++ b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@ -39,6 +39,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal

        // The following fields are only set by HttpsConnectionAdapterOptions ctor.
        private readonly HttpsConnectionAdapterOptions _options;
+        private readonly SslStreamCertificateContext _serverCertificateContext;
        private readonly X509Certificate2 _serverCertificate;
        private readonly Func<ConnectionContext, string, X509Certificate2> _serverCertificateSelector;

@ -89,6 +90,10 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
            else
            {
                EnsureCertificateIsAllowedForServerAuth(_serverCertificate);
+
+                // This might be do blocking IO but it'll resolve the certificate chain up front before any connections are
+                // made to the server
+                _serverCertificateContext = SslStreamCertificateContext.Create(_serverCertificate, additionalCertificates: null);
            }

            var remoteCertificateValidationCallback = _options.ClientCertificateMode == ClientCertificateMode.NoCertificate ?
@ -232,6 +237,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
            var sslOptions = new SslServerAuthenticationOptions
            {
                ServerCertificate = _serverCertificate,
+                ServerCertificateContext = _serverCertificateContext,
                ServerCertificateSelectionCallback = selector,
                ClientCertificateRequired = _options.ClientCertificateMode != ClientCertificateMode.NoCertificate,
                EnabledSslProtocols = _options.SslProtocols,
--- a/src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs
+++ b/src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs
@ -385,10 +385,9 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Tests
            {
                { "www.example.org", new SniConfig() }
            };
-
            var fallbackOptions = new HttpsConnectionAdapterOptions
            {
-                ServerCertificate = new X509Certificate2()
+                ServerCertificate = new X509Certificate2(TestResources.GetCertPath("aspnetdevcert.pfx"), "testPassword")
            };

            var sniOptionsSelector = new SniOptionsSelector(
@ -761,7 +760,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Core.Tests
                    return null;
                }

-                var cert = new X509Certificate2();
+                var cert = TestResources.GetTestCertificate();
                CertToPathDictionary.Add(cert, certInfo.Path);
                return cert;
            }