Change to strongly typed TLS connection options

Author: JamesNK

src/Servers/Connections.Abstractions/src/PublicAPI.Unshipped.txt

@@ -1 +1,19 @@
 #nullable enable
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.CancellationToken.get -> System.Threading.CancellationToken
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.CancellationToken.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.ClientHelloInfo.get -> System.Net.Security.SslClientHelloInfo
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.ClientHelloInfo.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.Connection.get -> Microsoft.AspNetCore.Connections.ConnectionContext!
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.Connection.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.State.get -> object?
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.State.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.TlsConnectionCallbackContext() -> void
+Microsoft.AspNetCore.Connections.TlsConnectionOptions
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.ApplicationProtocols.get -> System.Collections.Generic.List<System.Net.Security.SslApplicationProtocol>!
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.ApplicationProtocols.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.OnConnection.get -> System.Func<Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext!, System.Threading.Tasks.ValueTask<System.Net.Security.SslServerAuthenticationOptions!>>!
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.OnConnection.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.OnConnectionState.get -> object?
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.OnConnectionState.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionOptions.TlsConnectionOptions() -> void

src/Servers/Connections.Abstractions/src/TlsConnectionCallbackContext.cs

@@ -0,0 +1,37 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#if NET7_0_OR_GREATER
+using System.Net.Security;
+using System.Threading;
+using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Http.Features;
+
+namespace Microsoft.AspNetCore.Connections;
+
+/// <summary>
+/// Per connection state used to determine the TLS options.
+/// </summary>
+public class TlsConnectionCallbackContext
+{
+    /// <summary>
+    /// Information from the Client Hello message.
+    /// </summary>
+    public SslClientHelloInfo ClientHelloInfo { get; set; }
+
+    /// <summary>
+    /// The information that was passed when registering the callback.
+    /// </summary>
+    public object? State { get; set; }
+
+    /// <summary>
+    /// The token to monitor for cancellation requests.
+    /// </summary>
+    public CancellationToken CancellationToken { get; set; }
+
+    /// <summary>
+    /// Information about an individual connection.
+    /// </summary>
+    public ConnectionContext Connection { get; set; } = default!;
+}
+#endif

src/Servers/Connections.Abstractions/src/TlsConnectionOptions.cs

@@ -0,0 +1,29 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#if NET7_0_OR_GREATER
+using System;
+using System.Collections.Generic;
+using System.Net.Security;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Connections;
+
+/// <summary>
+/// Options used to configure a per connection callback for TLS configuration.
+/// </summary>
+public class TlsConnectionOptions
+{
+    /// <summary>
+    /// The callback to invoke per connection. This property is required.
+    /// </summary>
+    public Func<TlsConnectionCallbackContext, ValueTask<SslServerAuthenticationOptions>> OnConnection { get; set; } = default!;
+
+    /// <summary>
+    /// Optional application state to flow to the <see cref="OnConnection"/> callback.
+    /// </summary>
+    public object? OnConnectionState { get; set; }
+
+    public List<SslApplicationProtocol> ApplicationProtocols { get; set; } = default!;
+}
+#endif

src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs

@@ -8,6 +8,7 @@
 using System.Net.Security;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
@@ -58,22 +59,31 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe
         // The transport will check if the feature is missing.
         if (listenOptions.HttpsOptions != null)
         {
-            features.Set(HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions));
+            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions);
+            features.Set(new TlsConnectionOptions
+            {
+                ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols ?? new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = context => ValueTask.FromResult(sslServerAuthenticationOptions),
+                OnConnectionState = null,
+            });
         }
         if (listenOptions.HttpsCallbackOptions != null)
         {
-            Func<SslClientHelloInfo, CancellationToken, ValueTask<SslServerAuthenticationOptions>> callback = (helloInfo, cancellationToken) =>
+            features.Set(new TlsConnectionOptions
             {
-                return listenOptions.HttpsCallbackOptions.OnConnection(new Https.TlsHandshakeCallbackContext
+                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = context =>
                 {
-                    ClientHelloInfo = helloInfo,
-                    CancellationToken = cancellationToken,
-                    State = listenOptions.HttpsCallbackOptions.OnConnectionState
-                });
-            };
-
-            features.Set(callback);
-            features.Set<IList<SslApplicationProtocol>>(new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 });
+                    return listenOptions.HttpsCallbackOptions.OnConnection(new TlsHandshakeCallbackContext
+                    {
+                        ClientHelloInfo = context.ClientHelloInfo,
+                        CancellationToken = context.CancellationToken,
+                        State = context.State,
+                        Connection = context.Connection,
+                    });
+                },
+                OnConnectionState = listenOptions.HttpsCallbackOptions.OnConnectionState,
+            });
         }
 
         var transport = await _multiplexedTransportFactory.BindAsync(endPoint, features, cancellationToken).ConfigureAwait(false);

src/Servers/Kestrel/Transport.Quic/src/Internal/QuicConnectionListener.cs

@@ -16,18 +16,17 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Transport.Quic.Internal;
 internal sealed class QuicConnectionListener : IMultiplexedConnectionListener, IAsyncDisposable
 {
     private readonly ILogger _log;
-    private readonly List<SslApplicationProtocol> _protocols;
-    private bool _disposed;
+    private readonly TlsConnectionOptions _tlsConnectionOptions;
     private readonly QuicTransportContext _context;
-    private QuicListener? _listener;
     private readonly QuicListenerOptions _quicListenerOptions;
+    private bool _disposed;
+    private QuicListener? _listener;
 
     public QuicConnectionListener(
         QuicTransportOptions options,
         ILogger log,
         EndPoint endpoint,
-        List<SslApplicationProtocol> protocols,
-        Func<SslClientHelloInfo, CancellationToken, ValueTask<SslServerAuthenticationOptions>> sslServerAuthenticationOptionsCallback)
+        TlsConnectionOptions tlsConnectionOptions)
     {
         if (!QuicListener.IsSupported)
         {
@@ -39,27 +38,33 @@ public QuicConnectionListener(
             throw new InvalidOperationException($"QUIC doesn't support listening on the configured endpoint type. Expected {nameof(IPEndPoint)} but got {endpoint.GetType().Name}.");
         }
 
-        if (protocols.Count == 0)
+        if (tlsConnectionOptions.ApplicationProtocols.Count == 0)
         {
             throw new InvalidOperationException("No application protocols specified.");
         }
 
         _log = log;
-        _protocols = protocols;
+        _tlsConnectionOptions = tlsConnectionOptions;
         _context = new QuicTransportContext(_log, options);
         _quicListenerOptions = new QuicListenerOptions
         {
-            ApplicationProtocols = _protocols,
+            ApplicationProtocols = _tlsConnectionOptions.ApplicationProtocols,
             ListenEndPoint = listenEndPoint,
             ListenBacklog = options.Backlog,
             ConnectionOptionsCallback = async (connection, helloInfo, cancellationToken) =>
             {
-                var serverAuthenticationOptions = await sslServerAuthenticationOptionsCallback(helloInfo, cancellationToken);
+                var serverAuthenticationOptions = await _tlsConnectionOptions.OnConnection(new TlsConnectionCallbackContext
+                {
+                    CancellationToken = cancellationToken,
+                    ClientHelloInfo = helloInfo,
+                    State = _tlsConnectionOptions.OnConnectionState,
+                    Connection = null!,
+                });
 
                 // If the callback didn't set protocols then use the listener's list of protocols.
                 if (serverAuthenticationOptions.ApplicationProtocols == null)
                 {
-                    serverAuthenticationOptions.ApplicationProtocols = _protocols;
+                    serverAuthenticationOptions.ApplicationProtocols = _tlsConnectionOptions.ApplicationProtocols;
                 }
 
                 // If the SslServerAuthenticationOptions doesn't have a cert or protocols then the

src/Servers/Kestrel/Transport.Quic/src/QuicTransportFactory.cs

@@ -51,33 +51,18 @@ public async ValueTask<IMultiplexedConnectionListener> BindAsync(EndPoint endpoi
             throw new ArgumentNullException(nameof(endpoint));
         }
 
-        var sslServerAuthenticationOptionsCallback = features?.Get<Func<SslClientHelloInfo, CancellationToken, ValueTask<SslServerAuthenticationOptions>>>();
-        var applicationProtocols = features?.Get<IList<SslApplicationProtocol>>();
+        var tlsConnectionOptions = features?.Get<TlsConnectionOptions>();
 
-        // As a fallback, check if SslServerAuthenticationOptions is specified and use it instead.
-        if (sslServerAuthenticationOptionsCallback == null)
-        {
-            var sslServerAuthenticationOptions = features?.Get<SslServerAuthenticationOptions>();
-            if (sslServerAuthenticationOptions != null)
-            {
-                sslServerAuthenticationOptionsCallback = (helloInfo, cancellationToken) =>
-                {
-                    return ValueTask.FromResult(sslServerAuthenticationOptions);
-                };
-                applicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols;
-            }
-        }
-
-        if (sslServerAuthenticationOptionsCallback == null)
+        if (tlsConnectionOptions == null)
         {
             throw new InvalidOperationException("Couldn't find HTTPS configuration for QUIC transport.");
         }
-        if (applicationProtocols == null || applicationProtocols.Count == 0)
+        if (tlsConnectionOptions.ApplicationProtocols == null || tlsConnectionOptions.ApplicationProtocols.Count == 0)
         {
             throw new InvalidOperationException("No application protocols specified for QUIC transport.");
         }
 
-        var transport = new QuicConnectionListener(_options, _log, endpoint, applicationProtocols.ToList(), sslServerAuthenticationOptionsCallback);
+        var transport = new QuicConnectionListener(_options, _log, endpoint, tlsConnectionOptions);
         await transport.CreateListenerAsync();
 
         return transport;

src/Servers/Kestrel/Transport.Quic/test/QuicConnectionListenerTests.cs

@@ -8,6 +8,7 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Testing;
 using Xunit;
@@ -115,12 +116,15 @@ public async Task AcceptAsync_NoCertificateOrApplicationProtocol_Log()
     {
         // Arrange
         await using var connectionListener = await QuicTestHelpers.CreateConnectionListenerFactory(
-            applicationProtocols: new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
-            sslServerAuthenticationOptionsCallback: (helloInfo, cancellationToken) =>
+            new TlsConnectionOptions
             {
-                var options = new SslServerAuthenticationOptions();
-                options.ApplicationProtocols = new List<SslApplicationProtocol>();
-                return ValueTask.FromResult(options);
+                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = context =>
+                {
+                    var options = new SslServerAuthenticationOptions();
+                    options.ApplicationProtocols = new List<SslApplicationProtocol>();
+                    return ValueTask.FromResult(options);
+                }
             },
             LoggerFactory);
 
@@ -142,13 +146,15 @@ public async Task AcceptAsync_NoApplicationProtocolsInCallback_DefaultToConnecti
     {
         // Arrange
         await using var connectionListener = await QuicTestHelpers.CreateConnectionListenerFactory(
-            applicationProtocols: new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
-            sslServerAuthenticationOptionsCallback: (helloInfo, cancellationToken) =>
+            new TlsConnectionOptions
             {
-                var options = new SslServerAuthenticationOptions();
-                options.ServerCertificate = TestResources.GetTestCertificate();
-
-                return ValueTask.FromResult(options);
+                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = context =>
+                {
+                    var options = new SslServerAuthenticationOptions();
+                    options.ServerCertificate = TestResources.GetTestCertificate();
+                    return ValueTask.FromResult(options);
+                }
             },
             LoggerFactory);
 

src/Servers/Kestrel/Transport.Quic/test/QuicTestHelpers.cs

@@ -52,16 +52,15 @@ public static async Task<QuicConnectionListener> CreateConnectionListenerFactory
         return (QuicConnectionListener)await transportFactory.BindAsync(endpoint, features, cancellationToken: CancellationToken.None);
     }
 
-    public static async Task<QuicConnectionListener> CreateConnectionListenerFactory(List<SslApplicationProtocol> applicationProtocols, Func<SslClientHelloInfo, CancellationToken, ValueTask<SslServerAuthenticationOptions>> sslServerAuthenticationOptionsCallback, ILoggerFactory loggerFactory = null, ISystemClock systemClock = null)
+    public static async Task<QuicConnectionListener> CreateConnectionListenerFactory(TlsConnectionOptions tlsConnectionOptions, ILoggerFactory loggerFactory = null, ISystemClock systemClock = null)
     {
         var transportFactory = CreateTransportFactory(loggerFactory, systemClock);
 
         // Use ephemeral port 0. OS will assign unused port.
         var endpoint = new IPEndPoint(IPAddress.Loopback, 0);
 
         var features = new FeatureCollection();
-        features.Set(sslServerAuthenticationOptionsCallback);
-        features.Set<IList<SslApplicationProtocol>>(applicationProtocols);
+        features.Set(tlsConnectionOptions);
         return (QuicConnectionListener)await transportFactory.BindAsync(endpoint, features, cancellationToken: CancellationToken.None);
     }
 
@@ -76,7 +75,11 @@ public static FeatureCollection CreateBindAsyncFeatures(bool clientCertificateRe
         sslServerAuthenticationOptions.ClientCertificateRequired = clientCertificateRequired;
 
         var features = new FeatureCollection();
-        features.Set(sslServerAuthenticationOptions);
+        features.Set(new TlsConnectionOptions
+        {
+            ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols,
+            OnConnection = context => ValueTask.FromResult(sslServerAuthenticationOptions)
+        });
 
         return features;
     }

src/Servers/Kestrel/Transport.Quic/test/QuicTransportFactoryTests.cs

@@ -7,6 +7,7 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Testing;
@@ -41,7 +42,7 @@ public async Task BindAsync_NoApplicationProtocols_Error()
         var quicTransportOptions = new QuicTransportOptions();
         var quicTransportFactory = new QuicTransportFactory(NullLoggerFactory.Instance, Options.Create(quicTransportOptions));
         var features = new FeatureCollection();
-        features.Set(new SslServerAuthenticationOptions());
+        features.Set(new TlsConnectionOptions());
 
         // Act
         var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => quicTransportFactory.BindAsync(new IPEndPoint(0, 0), features: features, cancellationToken: CancellationToken.None).AsTask()).DefaultTimeout();
@@ -58,7 +59,7 @@ public async Task BindAsync_SslServerAuthenticationOptions_Success()
         var quicTransportOptions = new QuicTransportOptions();
         var quicTransportFactory = new QuicTransportFactory(NullLoggerFactory.Instance, Options.Create(quicTransportOptions));
         var features = new FeatureCollection();
-        features.Set(new SslServerAuthenticationOptions
+        features.Set(new TlsConnectionOptions
         {
             ApplicationProtocols = new List<SslApplicationProtocol>
             {