Skip to content

Log HTTPs cert info on startup #4759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
natemcmaster opened this issue Feb 10, 2018 · 10 comments
Open

Log HTTPs cert info on startup #4759

natemcmaster opened this issue Feb 10, 2018 · 10 comments
Assignees
@ldillonel
Labels
affected-very-few This issue impacts very few customers area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-kestrel help candidate Indicates that the issues may be a good fit for community to help with. Requires work from eng. team severity-nice-to-have This label is used by an internal tool
Milestone
Backlog

Comments

@natemcmaster
Copy link
Contributor

Kestrel logs endpoint when the server starts, but doesn't log which certificates were used. Now that Kestrel endpoints and certs can be configured from a file aspnet/KestrelHttpServer#2186, it would be nice to show console info to help users identify if their config was correctly used.

Some ideas:

From store, show friendly name

Now listening on: https://localhost:5001
Using server certificate: "ASP.NET Core HTTPS development certificate" from cert:\CurrentUser\My

From store, show subject

Now listening on: https://localhost:5001
Using server certificate: CN=localhost, cert:\CurrentUser\My

From store, include more info like thumbprint

Now listening on: https://localhost:5001
Using server certificate: CN=localhost, cert:\CurrentUser\My, 52A477BBEDE8DFDEB699106D5FFB8FE89F9BF790

From file

Now listening on: https://localhost:5001
Using server certificate: C:\dev\test\cert.pfx

Multiple certs

Now listening on: https://localhost:5002
Using server certificate: C:\dev\test\cert2.pfx
Now listening on: https://localhost:5001
Using server certificate: C:\dev\test\cert1.pfx
@aspnet-hello aspnet-hello transferred this issue from aspnet/KestrelHttpServer Dec 13, 2018
@aspnet-hello aspnet-hello added this to the Backlog milestone Dec 13, 2018
@jkotalik jkotalik added affected-very-few This issue impacts very few customers enhancement This issue represents an ask for new feature or an enhancement to an existing one severity-nice-to-have This label is used by an internal tool labels Nov 13, 2020 — with ASP.NET Core Issue Ranking
@davidfowl davidfowl added the help wanted Up for grabs. We would accept a PR to help resolve this issue label Mar 28, 2021
@davidfowl
Copy link
Member

This seems like a good thing, thoughts @blowdart ?

@blowdart
Copy link
Contributor

Aside from thumbprint yes (thumbprint is sha1, we don't like sha1)

Also add valid from and valid to or maybe the san (or first 5 hosts in the ssn, because those can get big)

@davidfowl davidfowl removed this from the Backlog milestone Mar 29, 2021
@BrennanConroy
Copy link
Member

Triage: This would be nice.
Issues: Certs wouldn't necessarily line up with the address they apply to. Can we get the store they came from?

Log.LogInfo("Loaded cert from X; <cert info>")

@BrennanConroy BrennanConroy added this to the Next sprint planning milestone Mar 29, 2021
@ghost
Copy link

ghost commented Mar 29, 2021

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

@davidfowl
Copy link
Member

Issues: Certs wouldn't necessarily line up with the address they apply to. Can we get the store they came from?

This is because hosting prints the addresses right?

@BrennanConroy
Copy link
Member

This is because hosting prints the addresses right?

Right. #23601 is related, if we have some way of grouping startup logs to make the output nice.

@ghost
Copy link

ghost commented Jul 18, 2021

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

@adityamandaleeka
Copy link
Member

@ldillonel This looks like it's relevant to your cert work. Might be good to look into it.

@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 2, 2023
@Pilchard123
Copy link

thumbprint is sha1, we don't like sha1

Why is using SHA1 for thumbprints a problem here @blowdart ? AIUI, thumbprints aren't used for any security purpose, merely for making it easier to refer to a particular certificate. If it was used for signatures or the like, then sure, but I don't think there's any security issue in using it as an identifier.

@blowdart
Copy link
Contributor

blowdart commented Jul 28, 2023
edited
Loading

It's a problem because we're trying to eliminate all use of sha1 internally, no matter what it's used for. We have a lot of automated tooling that helps us avoid mistakes and the tooling doesn't understand context. We also have customers who run their own tools and flag of any use of sha1 and then I end up with emails and having to explain the context that no, this isn't a cryptographic use. And if it's used over certificates it makes that explanation so much harder.

So it's simpler to eliminate all uses. It's the main reason we have non-cryptographic hash algorithms now.

(And in this case it's used for certificate identification which is so close to touching a cryptographic purpose it's not worth the argument).

@mkArtakMSFT mkArtakMSFT added help candidate Indicates that the issues may be a good fit for community to help with. Requires work from eng. team and removed help wanted Up for grabs. We would accept a PR to help resolve this issue labels Oct 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ldillonel ldillonel

Labels
affected-very-few This issue impacts very few customers area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-kestrel help candidate Indicates that the issues may be a good fit for community to help with. Requires work from eng. team severity-nice-to-have This label is used by an internal tool
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests