Enable ServerCertificateSelector for HTTP/3 #35243
Conversation
ghost
added
the
src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs
Show resolved
Hide resolved
| sslServerAuthenticationOptions.ServerCertificateSelectionCallback = (sender, host) => | ||
| { | ||
| // There is no ConnectionContext available durring the QUIC handshake. | ||
| var cert = listenOptions.HttpsOptions.ServerCertificateSelector(null, host); |
There was a problem hiding this comment.
Is there a way to associate an invocation of this callback with a specific QuicConnection instance? Would it make sense to create a fake ConnectionContext and copy the fake's FeatureCollection to the QuicConnectionContext? The Transport property and the Abort methods on the fake would likely need to throw, but I imagine the most common thing to use the ConnectionContext for in this callback is the FeatureCollection.
It seems better to try to at least partially fake it if possible rather than make existing code referencing the ConnectionContext in the callback nullref.
There was a problem hiding this comment.
Unfortunately not. The callback is invoked before the QuicConnection is even created and returned from Accept.
The Sender passed to ServerCertificateSelectionCallback is System.Net.Quic.QuicOptions.
If we made a fake context it would be completely empty.
I think we have to design some new callbacks in .NET 7 at both the System.Net.Quic and Kestrel levels that provide some kind of usable state in these callbacks.
There was a problem hiding this comment.
If we made a fake context it would be completely empty.
That would be better than nothing if we copy features that were added out the the later-created QuicConnectionContext. But if we cannot even associate it with the later-created QuicConnectionContext, I guess we're stuck. Maybe we should to update the QuicListener API to make this possible somehow.
There was a problem hiding this comment.
I don't think even associating the features is possible. I only added the callback in it's current state because I think it's still better than not supporting SNI at all, most use cases only require the host name.
Maybe we should to update the QuicListener API to make this possible somehow.
Exactly, that's the .NET 7 task.
There was a problem hiding this comment.
LGTM.
Remember to update aspnet/Announcements#444 with nullable change.
amcasey
added
area-networking
Contributes to #34858
ServerCertificateSelector is the only SNI callback we can support with the current quic APIs. All of the others return a full SslServerAuthenticationOptions per connection which isn't supported.
Note because the SNI callback happens before the connection is accepted, there is no ConnectionContext to pass to the callback (nor a MultiplexedConnectionContext). Invoking it with null seemed preferable to not supporting SNI at all.