Enable ServerCertificateSelector for HTTP/3 dotnet#34858

Author: Tratcher

src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs

@@ -66,6 +66,17 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe
                     ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("h3"), new SslApplicationProtocol("h3-29") }
                 };
 
+                if (listenOptions.HttpsOptions.ServerCertificateSelector != null)
+                {
+                    // We can't set both
+                    sslServerAuthenticationOptions.ServerCertificate = null;
+                    sslServerAuthenticationOptions.ServerCertificateSelectionCallback = (sender, host) =>
+                    {
+                        // There is no ConnectionContext available durring the handshake.
+                        return listenOptions.HttpsOptions.ServerCertificateSelector(null!, host)!;
+                    };
+                }
+
                 features.Set(sslServerAuthenticationOptions);
             }
 

src/Servers/Kestrel/Transport.Quic/src/QuicTransportFactory.cs

@@ -54,9 +54,12 @@ public ValueTask<IMultiplexedConnectionListener> BindAsync(EndPoint endpoint, IF
             {
                 throw new InvalidOperationException("Couldn't find HTTPS configuration for QUIC transport.");
             }
-            if (sslServerAuthenticationOptions.ServerCertificate == null)
+            if (sslServerAuthenticationOptions.ServerCertificate == null
+                && sslServerAuthenticationOptions.ServerCertificateContext == null
+                && sslServerAuthenticationOptions.ServerCertificateSelectionCallback == null)
             {
-                var message = $"{nameof(SslServerAuthenticationOptions)}.{nameof(SslServerAuthenticationOptions.ServerCertificate)} must be configured with a value.";
+                var message = $"{nameof(SslServerAuthenticationOptions)} must provide a server certificate using {nameof(SslServerAuthenticationOptions.ServerCertificate)},"
+                    + $" {nameof(SslServerAuthenticationOptions.ServerCertificateContext)}, or {nameof(SslServerAuthenticationOptions.ServerCertificateSelectionCallback)}.";
                 throw new InvalidOperationException(message);
             }
 

src/Servers/Kestrel/samples/Http3SampleApp/Program.cs

@@ -25,6 +25,7 @@ public static void Main(string[] args)
                     .ConfigureKestrel((context, options) =>
                     {
                         var cert = CertificateLoader.LoadFromStoreCert("localhost", StoreName.My.ToString(), StoreLocation.CurrentUser, false);
+
                         options.ConfigureHttpsDefaults(httpsOptions =>
                         {
                             httpsOptions.ServerCertificate = cert;
@@ -54,13 +55,41 @@ public static void Main(string[] args)
                         {
                             listenOptions.UseHttps(httpsOptions =>
                             {
-                                httpsOptions.ServerCertificateSelector = (_, _) => cert;
+                                // ConnectionContext is null
+                                httpsOptions.ServerCertificateSelector = (context, host) => cert;
                             });
                             listenOptions.UseConnectionLogging();
-                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2; // TODO: http3
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
                         });
 
+                        // No SslServerAuthenticationOptions callback is currently supported by QuicListener
                         options.ListenAnyIP(5004, listenOptions =>
+                        {
+                            listenOptions.UseHttps(httpsOptions =>
+                            {
+                                httpsOptions.OnAuthenticate = (_, sslOptions) => sslOptions.ServerCertificate = cert;
+                            });
+                            listenOptions.UseConnectionLogging();
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
+                        });
+
+                        // ServerOptionsSelectionCallback isn't currently supported by QuicListener
+                        options.ListenAnyIP(5005, listenOptions =>
+                        {
+                            ServerOptionsSelectionCallback callback = (SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken) =>
+                            {
+                                var options = new SslServerAuthenticationOptions()
+                                {
+                                    ServerCertificate = cert,
+                                };
+                                return new ValueTask<SslServerAuthenticationOptions>(options);
+                            };
+                            listenOptions.UseHttps(callback, state: null);
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
+                        });
+
+                        // TlsHandshakeCallbackOptions (ServerOptionsSelectionCallback) isn't currently supported by QuicListener
+                        options.ListenAnyIP(5006, listenOptions =>
                         {
                             listenOptions.UseHttps(new TlsHandshakeCallbackOptions()
                             {
@@ -74,7 +103,7 @@ public static void Main(string[] args)
                                 },
                             });
                             listenOptions.UseConnectionLogging();
-                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2; // TODO: http3
+                            listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
                         });
                     })
                     .UseStartup<Startup>();

src/Servers/Kestrel/test/Interop.FunctionalTests/Http3/Http3TlsTests.cs

@@ -0,0 +1,126 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+using System.Net;
+using System.Net.Http;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
+using Microsoft.AspNetCore.Server.Kestrel.FunctionalTests;
+using Microsoft.AspNetCore.Testing;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Xunit;
+
+namespace Interop.FunctionalTests.Http3
+{
+    [QuarantinedTest("https://github.com/dotnet/aspnetcore/issues/35070")]
+    public class Http3TlsTests : LoggedTest
+    {
+        [ConditionalFact]
+        [MsQuicSupported]
+        public async Task ServerCertificateSelector_Invoked()
+        {
+            var builder = CreateHostBuilder(async context =>
+            {
+                await context.Response.WriteAsync("Hello World");
+            }, configureKestrel: kestrelOptions =>
+            {
+                kestrelOptions.ListenAnyIP(0, listenOptions =>
+                {
+                    listenOptions.Protocols = HttpProtocols.Http3;
+                    listenOptions.UseHttps(httpsOptions =>
+                    {
+                        httpsOptions.ServerCertificateSelector = (context, host) =>
+                        {
+                            Assert.Null(context); // The context isn't available durring the quic handshake.
+                            Assert.Equal("localhost", host);
+                            return TestResources.GetTestCertificate();
+                        };
+                    });
+                });
+            });
+
+            using var host = builder.Build();
+            using var client = CreateClient();
+
+            await host.StartAsync().DefaultTimeout();
+
+            // Using localhost instead of 127.0.0.1 because IPs don't set SNI and the Host header isn't currently used as an override.
+            var request = new HttpRequestMessage(HttpMethod.Get, $"https://localhost:{host.GetPort()}/");
+            request.Version = HttpVersion.Version30;
+            request.VersionPolicy = HttpVersionPolicy.RequestVersionExact;
+            // https://github.com/dotnet/runtime/issues/57169 Host isn't used for SNI
+            request.Headers.Host = "testhost";
+
+            var response = await client.SendAsync(request, CancellationToken.None);
+            response.EnsureSuccessStatusCode();
+            var result = await response.Content.ReadAsStringAsync();
+            Assert.Equal(HttpVersion.Version30, response.Version);
+            Assert.Equal("Hello World", result);
+
+            await host.StopAsync().DefaultTimeout();
+        }
+
+        private static HttpMessageInvoker CreateClient(TimeSpan? idleTimeout = null)
+        {
+            var handler = new SocketsHttpHandler();
+            handler.SslOptions = new System.Net.Security.SslClientAuthenticationOptions
+            {
+                RemoteCertificateValidationCallback = (_, __, ___, ____) => true,
+                TargetHost = "targethost"
+            };
+            if (idleTimeout != null)
+            {
+                handler.PooledConnectionIdleTimeout = idleTimeout.Value;
+            }
+
+            return new HttpMessageInvoker(handler);
+        }
+
+        private IHostBuilder CreateHostBuilder(RequestDelegate requestDelegate, HttpProtocols? protocol = null, Action<KestrelServerOptions> configureKestrel = null)
+        {
+            return new HostBuilder()
+                .ConfigureWebHost(webHostBuilder =>
+                {
+                    webHostBuilder
+                        .UseKestrel(o =>
+                        {
+                            if (configureKestrel == null)
+                            {
+                                o.Listen(IPAddress.Parse("127.0.0.1"), 0, listenOptions =>
+                                {
+                                    listenOptions.Protocols = protocol ?? HttpProtocols.Http3;
+                                    listenOptions.UseHttps();
+                                });
+                            }
+                            else
+                            {
+                                configureKestrel(o);
+                            }
+                        })
+                        .Configure(app =>
+                        {
+                            app.Run(requestDelegate);
+                        });
+                })
+                .ConfigureServices(AddTestLogging)
+                .ConfigureHostOptions(o =>
+                {
+                    if (Debugger.IsAttached)
+                    {
+                        // Avoid timeout while debugging.
+                        o.ShutdownTimeout = TimeSpan.FromHours(1);
+                    }
+                    else
+                    {
+                        o.ShutdownTimeout = TimeSpan.FromSeconds(1);
+                    }
+                });
+        }
+    }
+}