HTTP/3: Complete support for UseHttps (#42774)

Author: JamesNK

src/Servers/Connections.Abstractions/src/Microsoft.AspNetCore.Connections.Abstractions.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <Description>Core components of ASP.NET Core networking protocol stack.</Description>
@@ -19,6 +19,11 @@
     <Compile Include="$(SharedSourceRoot)CodeAnalysis\*.cs" />
   </ItemGroup>
 
+  <ItemGroup>
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Unshipped.txt" />
+  </ItemGroup>
+
   <!-- Special case building from source because Microsoft.Bcl.AsyncInterfaces isn't available for source builds. -->
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' OR
       '$(TargetFramework)' == '$(DefaultNetFxTargetFramework)' OR

src/Servers/Connections.Abstractions/src/PublicAPI.Shipped.txt renamed to src/Servers/Connections.Abstractions/src/PublicAPI/net462/PublicAPI.Shipped.txt

@@ -0,0 +1,19 @@
+#nullable enable
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature.OnClosed(System.Action<object?>! callback, object? state) -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.ClientHelloInfo.get -> System.Net.Security.SslClientHelloInfo
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.ClientHelloInfo.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.Connection.get -> Microsoft.AspNetCore.Connections.BaseConnectionContext!
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.Connection.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.State.get -> object?
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.State.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext.TlsConnectionCallbackContext() -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.ApplicationProtocols.get -> System.Collections.Generic.List<System.Net.Security.SslApplicationProtocol>!
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.ApplicationProtocols.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.OnConnection.get -> System.Func<Microsoft.AspNetCore.Connections.TlsConnectionCallbackContext!, System.Threading.CancellationToken, System.Threading.Tasks.ValueTask<System.Net.Security.SslServerAuthenticationOptions!>>!
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.OnConnection.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.OnConnectionState.get -> object?
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.OnConnectionState.set -> void
+Microsoft.AspNetCore.Connections.TlsConnectionCallbackOptions.TlsConnectionCallbackOptions() -> void

src/Servers/Connections.Abstractions/src/PublicAPI.Unshipped.txt renamed to src/Servers/Connections.Abstractions/src/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -0,0 +1,3 @@
+#nullable enable
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature.OnClosed(System.Action<object?>! callback, object? state) -> void

src/Servers/Connections.Abstractions/src/PublicAPI/net7.0/PublicAPI.Shipped.txt

@@ -0,0 +1,3 @@
+#nullable enable
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature
+Microsoft.AspNetCore.Connections.Features.IStreamClosedFeature.OnClosed(System.Action<object?>! callback, object? state) -> void

src/Servers/Connections.Abstractions/src/PublicAPI/net7.0/PublicAPI.Unshipped.txt

@@ -0,0 +1,32 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#if NET7_0_OR_GREATER
+using System.Net.Security;
+using System.Threading;
+using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Http.Features;
+
+namespace Microsoft.AspNetCore.Connections;
+
+/// <summary>
+/// Per connection state used to determine the TLS options.
+/// </summary>
+public class TlsConnectionCallbackContext
+{
+    /// <summary>
+    /// Information from the Client Hello message.
+    /// </summary>
+    public SslClientHelloInfo ClientHelloInfo { get; set; }
+
+    /// <summary>
+    /// The information that was passed when registering the callback.
+    /// </summary>
+    public object? State { get; set; }
+
+    /// <summary>
+    /// Information about an individual connection.
+    /// </summary>
+    public BaseConnectionContext Connection { get; set; } = default!;
+}
+#endif

src/Servers/Connections.Abstractions/src/PublicAPI/netstandard2.0/PublicAPI.Shipped.txt

@@ -0,0 +1,33 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+#if NET7_0_OR_GREATER
+using System;
+using System.Collections.Generic;
+using System.Net.Security;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Connections;
+
+/// <summary>
+/// Options used to configure a per connection callback for TLS configuration.
+/// </summary>
+public class TlsConnectionCallbackOptions
+{
+    /// <summary>
+    /// The callback to invoke per connection. This property is required.
+    /// </summary>
+    public Func<TlsConnectionCallbackContext, CancellationToken, ValueTask<SslServerAuthenticationOptions>> OnConnection { get; set; } = default!;
+
+    /// <summary>
+    /// Optional application state to flow to the <see cref="OnConnection"/> callback.
+    /// </summary>
+    public object? OnConnectionState { get; set; }
+
+    /// <summary>
+    /// Gets or sets a list of ALPN protocols.
+    /// </summary>
+    public List<SslApplicationProtocol> ApplicationProtocols { get; set; } = default!;
+}
+#endif

src/Servers/Connections.Abstractions/src/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -3,10 +3,13 @@
 
 #nullable enable
 
+using System.IO.Pipelines;
 using System.Linq;
 using System.Net;
+using System.Net.Security;
 using Microsoft.AspNetCore.Connections;
 using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 
 namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
@@ -53,18 +56,85 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe
 
         var features = new FeatureCollection();
 
-        // This should always be set in production, but it's not set for InMemory tests.
-        // The transport will check if the feature is missing.
+        // HttpsOptions or HttpsCallbackOptions should always be set in production, but it's not set for InMemory tests.
+        // The QUIC transport will check if TlsConnectionCallbackOptions is missing.
         if (listenOptions.HttpsOptions != null)
         {
-            features.Set(HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions));
+            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions);
+            features.Set(new TlsConnectionCallbackOptions
+            {
+                ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols ?? new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = (context, cancellationToken) => ValueTask.FromResult(sslServerAuthenticationOptions),
+                OnConnectionState = null,
+            });
+        }
+        else if (listenOptions.HttpsCallbackOptions != null)
+        {
+            features.Set(new TlsConnectionCallbackOptions
+            {
+                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                OnConnection = (context, cancellationToken) =>
+                {
+                    return listenOptions.HttpsCallbackOptions.OnConnection(new TlsHandshakeCallbackContext
+                    {
+                        ClientHelloInfo = context.ClientHelloInfo,
+                        CancellationToken = cancellationToken,
+                        State = context.State,
+                        Connection = new ConnectionContextAdapter(context.Connection),
+                    });
+                },
+                OnConnectionState = listenOptions.HttpsCallbackOptions.OnConnectionState,
+            });
         }
 
         var transport = await _multiplexedTransportFactory.BindAsync(endPoint, features, cancellationToken).ConfigureAwait(false);
         StartAcceptLoop(new GenericMultiplexedConnectionListener(transport), c => multiplexedConnectionDelegate(c), listenOptions.EndpointConfig);
         return transport.EndPoint;
     }
 
+    /// <summary>
+    /// TlsHandshakeCallbackContext.Connection is ConnectionContext but QUIC connection only implements BaseConnectionContext.
+    /// </summary>
+    private sealed class ConnectionContextAdapter : ConnectionContext
+    {
+        private readonly BaseConnectionContext _inner;
+
+        public ConnectionContextAdapter(BaseConnectionContext inner) => _inner = inner;
+
+        public override IDuplexPipe Transport
+        {
+            get => throw new NotSupportedException("Not supported by HTTP/3 connections.");
+            set => throw new NotSupportedException("Not supported by HTTP/3 connections.");
+        }
+        public override string ConnectionId
+        {
+            get => _inner.ConnectionId;
+            set => _inner.ConnectionId = value;
+        }
+        public override IFeatureCollection Features => _inner.Features;
+        public override IDictionary<object, object?> Items
+        {
+            get => _inner.Items;
+            set => _inner.Items = value;
+        }
+        public override EndPoint? LocalEndPoint
+        {
+            get => _inner.LocalEndPoint;
+            set => _inner.LocalEndPoint = value;
+        }
+        public override EndPoint? RemoteEndPoint
+        {
+            get => _inner.RemoteEndPoint;
+            set => _inner.RemoteEndPoint = value;
+        }
+        public override CancellationToken ConnectionClosed
+        {
+            get => _inner.ConnectionClosed;
+            set => _inner.ConnectionClosed = value;
+        }
+        public override ValueTask DisposeAsync() => _inner.DisposeAsync();
+    }
+
     private void StartAcceptLoop<T>(IConnectionListener<T> connectionListener, Func<T, Task> connectionDelegate, EndpointConfig? endpointConfig) where T : BaseConnectionContext
     {
         var transportConnectionManager = new TransportConnectionManager(_serviceContext.ConnectionManager);

src/Servers/Connections.Abstractions/src/PublicAPI/netstandard2.1/PublicAPI.Shipped.txt

@@ -109,6 +109,7 @@ internal string Scheme
 
     internal bool IsTls { get; set; }
     internal HttpsConnectionAdapterOptions? HttpsOptions { get; set; }
+    internal TlsHandshakeCallbackOptions? HttpsCallbackOptions { get; set; }
 
     /// <summary>
     /// Gets the name of this endpoint to display on command-line when the web server starts.

src/Servers/Connections.Abstractions/src/PublicAPI/netstandard2.1/PublicAPI.Unshipped.txt

@@ -254,10 +254,6 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, ServerOpt
     /// <returns>The <see cref="ListenOptions"/>.</returns>
     public static ListenOptions UseHttps(this ListenOptions listenOptions, ServerOptionsSelectionCallback serverOptionsSelectionCallback, object state, TimeSpan handshakeTimeout)
     {
-        if (listenOptions.Protocols.HasFlag(HttpProtocols.Http3))
-        {
-            throw new NotSupportedException($"{nameof(UseHttps)} with {nameof(ServerOptionsSelectionCallback)} is not supported with HTTP/3.");
-        }
         return listenOptions.UseHttps(new TlsHandshakeCallbackOptions()
         {
             OnConnection = context => serverOptionsSelectionCallback(context.SslStream, context.ClientHelloInfo, context.State, context.CancellationToken),
@@ -285,18 +281,17 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, TlsHandsh
             throw new ArgumentException($"{nameof(TlsHandshakeCallbackOptions.OnConnection)} must not be null.");
         }
 
-        if (listenOptions.Protocols.HasFlag(HttpProtocols.Http3))
-        {
-            throw new NotSupportedException($"{nameof(UseHttps)} with {nameof(TlsHandshakeCallbackOptions)} is not supported with HTTP/3.");
-        }
-
         var loggerFactory = listenOptions.KestrelServerOptions?.ApplicationServices.GetRequiredService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
 
         listenOptions.IsTls = true;
+        listenOptions.HttpsCallbackOptions = callbackOptions;
+
         listenOptions.Use(next =>
         {
-            // Set the list of protocols from listen options
+            // Set the list of protocols from listen options.
+            // Set it inside Use delegate so Protocols and UseHttps can be called out of order.
             callbackOptions.HttpProtocols = listenOptions.Protocols;
+
             var middleware = new HttpsConnectionMiddleware(next, callbackOptions, loggerFactory);
             return middleware.OnConnectionAsync;
         });

src/Servers/Connections.Abstractions/src/TlsConnectionCallbackContext.cs

@@ -72,6 +72,7 @@ internal ListenOptions Clone(IPAddress address)
             DisableAltSvcHeader = DisableAltSvcHeader,
             IsTls = IsTls,
             HttpsOptions = HttpsOptions,
+            HttpsCallbackOptions = HttpsCallbackOptions,
             EndpointConfig = EndpointConfig
         };
 

src/Servers/Connections.Abstractions/src/TlsConnectionCallbackOptions.cs

@@ -2,11 +2,17 @@
   "solution": {
     "path": "..\\..\\..\\AspNetCore.sln",
     "projects": [
+      "src\\DataProtection\\Abstractions\\src\\Microsoft.AspNetCore.DataProtection.Abstractions.csproj",
+      "src\\DataProtection\\Cryptography.Internal\\src\\Microsoft.AspNetCore.Cryptography.Internal.csproj",
+      "src\\DataProtection\\DataProtection\\src\\Microsoft.AspNetCore.DataProtection.csproj",
+      "src\\DefaultBuilder\\src\\Microsoft.AspNetCore.csproj",
       "src\\Extensions\\Features\\src\\Microsoft.Extensions.Features.csproj",
       "src\\Extensions\\Features\\test\\Microsoft.Extensions.Features.Tests.csproj",
       "src\\Hosting\\Abstractions\\src\\Microsoft.AspNetCore.Hosting.Abstractions.csproj",
       "src\\Hosting\\Hosting\\src\\Microsoft.AspNetCore.Hosting.csproj",
       "src\\Hosting\\Server.Abstractions\\src\\Microsoft.AspNetCore.Hosting.Server.Abstractions.csproj",
+      "src\\Http\\Authentication.Abstractions\\src\\Microsoft.AspNetCore.Authentication.Abstractions.csproj",
+      "src\\Http\\Authentication.Core\\src\\Microsoft.AspNetCore.Authentication.Core.csproj",
       "src\\Http\\Headers\\src\\Microsoft.Net.Http.Headers.csproj",
       "src\\Http\\Http.Abstractions\\src\\Microsoft.AspNetCore.Http.Abstractions.csproj",
       "src\\Http\\Http.Extensions\\src\\Microsoft.AspNetCore.Http.Extensions.csproj",
@@ -21,8 +27,12 @@
       "src\\Middleware\\HostFiltering\\src\\Microsoft.AspNetCore.HostFiltering.csproj",
       "src\\Middleware\\HttpOverrides\\src\\Microsoft.AspNetCore.HttpOverrides.csproj",
       "src\\ObjectPool\\src\\Microsoft.Extensions.ObjectPool.csproj",
+      "src\\Security\\Authentication\\Core\\src\\Microsoft.AspNetCore.Authentication.csproj",
       "src\\Security\\Authorization\\Core\\src\\Microsoft.AspNetCore.Authorization.csproj",
+      "src\\Security\\Authorization\\Policy\\src\\Microsoft.AspNetCore.Authorization.Policy.csproj",
       "src\\Servers\\Connections.Abstractions\\src\\Microsoft.AspNetCore.Connections.Abstractions.csproj",
+      "src\\Servers\\IIS\\IISIntegration\\src\\Microsoft.AspNetCore.Server.IISIntegration.csproj",
+      "src\\Servers\\IIS\\IIS\\src\\Microsoft.AspNetCore.Server.IIS.csproj",
       "src\\Servers\\Kestrel\\Core\\src\\Microsoft.AspNetCore.Server.Kestrel.Core.csproj",
       "src\\Servers\\Kestrel\\Core\\test\\Microsoft.AspNetCore.Server.Kestrel.Core.Tests.csproj",
       "src\\Servers\\Kestrel\\Kestrel\\src\\Microsoft.AspNetCore.Server.Kestrel.csproj",
@@ -47,7 +57,8 @@
       "src\\Servers\\Kestrel\\test\\Sockets.BindTests\\Sockets.BindTests.csproj",
       "src\\Servers\\Kestrel\\test\\Sockets.FunctionalTests\\Sockets.FunctionalTests.csproj",
       "src\\Servers\\Kestrel\\tools\\CodeGenerator\\CodeGenerator.csproj",
-      "src\\Testing\\src\\Microsoft.AspNetCore.Testing.csproj"
+      "src\\Testing\\src\\Microsoft.AspNetCore.Testing.csproj",
+      "src\\WebEncoders\\src\\Microsoft.Extensions.WebEncoders.csproj"
     ]
   }
 }

src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs

@@ -258,6 +258,11 @@ internal bool TryReturnStream(QuicStreamContext stream)
         return false;
     }
 
+    internal QuicConnection GetInnerConnection()
+    {
+        return _connection;
+    }
+
     private void RemoveExpiredStreams()
     {
         lock (_poolLock)