Open
Description
Background:
This sample shows how to intercept TLS handshakes and do efficient filtering for supported protocols, hosts, ciphers, etc. However, it uses non-trivial pipelines code that's difficult for our customers to work with.
Proposal:
Ship an in-box kestrel connection middleware that sniffs the handshake and stores the TLS details as a feature on the connection context. The customer can then have a much simpler middleware after to enforce their policies.
Features:
- Configurable timeout for receiving the full ClientHello. Compare to https://github.com/dotnet/aspnetcore/blob/542da423ff3394e86fd7608fc425fadd33ba3fd9/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs#L17
- Stores TLS details in a feature on the connection context.
- Logs and rejects invalid handshakes
- Do we want a callback that takes the TLS details and decides what to do with them? That way they don't have to write another middleware.