Add support in Kestrel to configure signature algorithms and cipher suites on a per-SNI basis. #58560
Open
1 task done
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
Kestrel currently allows configuration of a wide variety of TLS settings on a per-SNI basis via SslStream. (such as choosing the server TLS certificate for a given SNI, whether to negotiate a client certificate eagerly or in a delayed manner, the list of distinguished names to send in the TLS handshake, etc)
However, Kestrel does not allow the configuration of signature algorithms on any platform. Also, Kestrel does not allow configuration of cipher suites on Windows. HTTP.sys provides this functionality on Windows and I'm requesting this capability on Kestrel (on both Windows and Linux).
Note: The signature algorithms and cipher suites in Windows are centrally set via Schannel registry keys. Both Kestrel and HTTP.sys delegate to using settings chosen by Schannel. However, HTTP.Sys provides APIs to modify the centrally selected settings on a per-SNI basis - and that capability is what I'm requesting on Kestrel. For a multi-tenant reverse proxy, the ability to choose TLS settings on a per-SNI basis is crucial.
Describe the solution you'd like
I understand that the API shape exposed via ServerOptionsSelectionCallback is not quite the same as HTTP.sys. That is why I'm only describing how HTTP.sys achieves the capability I need. I'm not suggesting a particular API shape for how Kestrel may implement the feature.
The below code uses HTTP.Sys APIs to configure signature algorithms and cipher suites on a per SNI basis.
Note: The code below is not meant to be used in production as-is. The intent is to provide a high-level overview of how per-SNI TLS settings are configured on HTTP.sys.
Additional context
I'm aware that Kestrel has a SslServerAuthenticationOptions.CipherSuitesPolicy. However, this throws a PlatformNotSupported Exception on Windows.
Linking useful documentation that make this feature possible:
snippet from http.h for the various flags that can be used while configuring TLS settings:
The text was updated successfully, but these errors were encountered: