Cache SslServerAuthenticationOptions and certs

Author: halter73

src/Servers/Kestrel/Core/src/CoreStrings.resx

@@ -620,4 +620,10 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="UnrecognizedCertificateKeyOid" xml:space="preserve">
     <value>Unknown algorithm for certificate with public key type '{0}'.</value>
   </data>
+  <data name="SniNotConfiguredForServerName" xml:space="preserve">
+    <value>Connection refused because no SNI configuration was found for '{serverName}' in '{endpointName}'. To allow all connections, add a wildcard ('*') SNI section.</value>
+  </data>
+  <data name="SniNotConfiguredToAllowNoServerName" xml:space="preserve">
+    <value>Connection refulsed because the client did not specify a server name, and no wildcard ('*') SNI configuration was found in '{endpointName}'.</value>
+  </data>
 </root>

src/Servers/Kestrel/Core/src/Internal/SniOptionsSelector.cs

@@ -0,0 +1,116 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Net.Security;
+using System.Security.Authentication;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
+using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
+
+namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal
+{
+    internal class SniOptionsSelector
+    {
+        private const string wildcardHost = "*";
+        private const string wildcardPrefix = "*.";
+
+        private readonly string _endpointName;
+        private readonly Dictionary<string, SslServerAuthenticationOptions> _fullNameOptions = new Dictionary<string, SslServerAuthenticationOptions>(StringComparer.OrdinalIgnoreCase);
+        private readonly List<(string, SslServerAuthenticationOptions)> _wildcardPrefixOptions = new List<(string, SslServerAuthenticationOptions)>();
+        private readonly SslServerAuthenticationOptions _wildcardHostOptions = null;
+
+        public SniOptionsSelector(
+            KestrelConfigurationLoader configLoader,
+            EndpointConfig endpointConfig,
+            HttpsConnectionAdapterOptions fallbackOptions,
+            HttpProtocols fallbackHttpProtocols)
+        {
+            _endpointName = endpointConfig.Name;
+
+            foreach (var (name, sniConfig) in endpointConfig.SNI)
+            {
+                var sslServerOptions = new SslServerAuthenticationOptions();
+
+                sslServerOptions.ServerCertificate = configLoader.LoadCertificate(sniConfig.Certificate, endpointConfig.Name)
+                    ?? configLoader.LoadEndpointOrDefaultCertificate(fallbackOptions, endpointConfig);
+
+                if (sslServerOptions.ServerCertificate is null)
+                {
+                    throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
+                }
+
+                sslServerOptions.EnabledSslProtocols = sniConfig.SslProtocols ?? fallbackOptions.SslProtocols;
+                HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, sniConfig.Protocols ?? fallbackHttpProtocols);
+
+                var clientCertificateMode = sniConfig.ClientCertificateMode ?? fallbackOptions.ClientCertificateMode;
+
+                if (clientCertificateMode != ClientCertificateMode.NoCertificate)
+                {
+                    sslServerOptions.ClientCertificateRequired = true;
+                    sslServerOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
+                        HttpsConnectionMiddleware.RemoteCertificateValidationCallback(
+                            clientCertificateMode, fallbackOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
+                }
+
+                if (name.Equals(wildcardHost, StringComparison.Ordinal))
+                {
+                    _wildcardHostOptions = sslServerOptions;
+                }
+                else if (name.StartsWith(wildcardPrefix, StringComparison.Ordinal))
+                {
+                    _wildcardPrefixOptions.Add((name, sslServerOptions));
+                }
+                else
+                {
+                    _fullNameOptions[name] = sslServerOptions;
+                }
+            }
+        }
+
+        public SslServerAuthenticationOptions GetOptions(string serverName)
+        {
+            SslServerAuthenticationOptions options = null;
+
+            if (!string.IsNullOrEmpty(serverName))
+            {
+                if (_fullNameOptions.TryGetValue(serverName, out options))
+                {
+                    return options;
+                }
+
+                var matchedNameLength = 0;
+                ReadOnlySpan<char> serverNameSpan = serverName;
+
+                foreach (var (nameCandidate, optionsCandidate) in _wildcardPrefixOptions)
+                {
+                    ReadOnlySpan<char> nameCandidateSpan = nameCandidate;
+
+                    // Note that we only slice off the `*`. We want to match the leading `.` also.
+                    if (serverNameSpan.EndsWith(nameCandidateSpan.Slice(wildcardHost.Length), StringComparison.OrdinalIgnoreCase)
+                        && nameCandidateSpan.Length > matchedNameLength)
+                    {
+                        matchedNameLength = nameCandidateSpan.Length;
+                        options = optionsCandidate;
+                    }
+                }
+            }
+
+            options ??= _wildcardHostOptions;
+
+            if (options is null)
+            {
+                if (serverName is null)
+                {
+                    throw new AuthenticationException(CoreStrings.FormatSniNotConfiguredToAllowNoServerName(_endpointName));
+                }
+                else
+                {
+                    throw new AuthenticationException(CoreStrings.FormatSniNotConfiguredForServerName(serverName, _endpointName));
+                }
+            }
+
+            return options;
+        }
+    }
+}

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -281,7 +281,7 @@ public void Load()
 
                 // Compare to UseHttps(httpsOptions => { })
                 var httpsOptions = new HttpsConnectionAdapterOptions();
-                ServerOptionsSelectionCallback serverOptionsCallback = null;
+                SniOptionsSelector sniOptionsSelector = null;
 
                 if (https)
                 {
@@ -318,8 +318,7 @@ public void Load()
                     }
                     else
                     {
-                        serverOptionsCallback = (stream, clientHelloInfo, state, cancellationToken) =>
-                            SniCallback(httpsOptions, listenOptions.Protocols, endpoint, clientHelloInfo);
+                        sniOptionsSelector = new SniOptionsSelector(this, endpoint, httpsOptions, listenOptions.Protocols);
                     }
                 }
 
@@ -343,7 +342,7 @@ public void Load()
                 // EndpointDefaults or configureEndpoint may have added an https adapter.
                 if (https && !listenOptions.IsTls)
                 {
-                    if (serverOptionsCallback is null)
+                    if (sniOptionsSelector is null)
                     {
                         if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                         {
@@ -354,7 +353,7 @@ public void Load()
                     }
                     else
                     {
-                        listenOptions.UseHttps(serverOptionsCallback);
+                        listenOptions.UseHttps(ServerOptionsSelectionCallback, sniOptionsSelector);
                     }
                 }
 
@@ -367,80 +366,11 @@ public void Load()
             return (endpointsToStop, endpointsToStart);
         }
 
-        private ValueTask<SslServerAuthenticationOptions> SniCallback(
-            HttpsConnectionAdapterOptions httpsOptions,
-            HttpProtocols endpointDefaultHttpProtocols,
-            EndpointConfig endpoint,
-            SslClientHelloInfo clientHelloInfo)
+        private static ValueTask<SslServerAuthenticationOptions> ServerOptionsSelectionCallback(SslStream stream, SslClientHelloInfo clientHelloInfo, object state, CancellationToken cancellationToken)
         {
-            const string wildcardHost = "*";
-            const string wildcardPrefix = "*.";
-
-            var sslServerOptions = new SslServerAuthenticationOptions();
-            var serverName = clientHelloInfo.ServerName;
-            SniConfig sniConfig = null;
-
-            if (!string.IsNullOrEmpty(serverName))
-            {
-                foreach (var (name, sniConfigCandidate) in endpoint.SNI)
-                {
-                    if (name.Equals(serverName, StringComparison.OrdinalIgnoreCase))
-                    {
-                        sniConfig = sniConfigCandidate;
-                        break;
-                    }
-                    // Note that we only slice off the `*`. We want to match the leading `.` also.
-                    else if (name.StartsWith(wildcardPrefix, StringComparison.Ordinal)
-                        && serverName.EndsWith(name.Substring(wildcardHost.Length), StringComparison.OrdinalIgnoreCase)
-                        && name.Length > (sniConfig?.Name.Length ?? 0))
-                    {
-                        sniConfig = sniConfigCandidate;
-                    }
-                    else if (name.Equals(wildcardHost, StringComparison.Ordinal))
-                    {
-                        sniConfig ??= sniConfigCandidate;
-                    }
-                }
-            }
-
-            sslServerOptions.ServerCertificate = LoadCertificate(sniConfig?.Certificate, endpoint.Name) ?? LoadEndpointOrDefaultCertificate(httpsOptions, endpoint);
-
-            if (sslServerOptions.ServerCertificate is null)
-            {
-                throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
-            }
-
-            sslServerOptions.EnabledSslProtocols = sniConfig?.SslProtocols ?? httpsOptions.SslProtocols;
-            HttpsConnectionMiddleware.ConfigureAlpn(sslServerOptions, sniConfig?.Protocols ?? endpointDefaultHttpProtocols);
-
-            var clientCertificateMode = sniConfig?.ClientCertificateMode ?? httpsOptions.ClientCertificateMode;
-
-            if (clientCertificateMode != ClientCertificateMode.NoCertificate)
-            {
-                sslServerOptions.ClientCertificateRequired = true;
-                sslServerOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
-                    HttpsConnectionMiddleware.RemoteCertificateValidationCallback(clientCertificateMode, httpsOptions.ClientCertificateValidation, certificate, chain, sslPolicyErrors);
-            }
-
-            return new ValueTask<SslServerAuthenticationOptions>(sslServerOptions);
-        }
-
-        private X509Certificate2 LoadEndpointOrDefaultCertificate(HttpsConnectionAdapterOptions httpsOptions, EndpointConfig endpoint)
-        {
-            // Specified
-            httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
-                ?? httpsOptions.ServerCertificate;
-
-            if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
-            {
-                // Fallback
-                Options.ApplyDefaultCert(httpsOptions);
-
-                // Ensure endpoint is reloaded if it used the default certificate and the certificate changed.
-                endpoint.Certificate = DefaultCertificateConfig;
-            }
-
-            return httpsOptions.ServerCertificate;
+            var sniOptionsSelector = (SniOptionsSelector)state;
+            var options = sniOptionsSelector.GetOptions(clientHelloInfo.ServerName);
+            return new ValueTask<SslServerAuthenticationOptions>(options);
         }
 
         private void LoadDefaultCert(ConfigurationReader configReader)
@@ -531,7 +461,7 @@ private bool TryGetCertificatePath(out string path)
             return path != null;
         }
 
-        private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
+        internal X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
         {
             if (certInfo is null)
             {
@@ -622,6 +552,24 @@ static X509Certificate2 GetCertificate(string certificatePath)
             }
         }
 
+        internal X509Certificate2 LoadEndpointOrDefaultCertificate(HttpsConnectionAdapterOptions httpsOptions, EndpointConfig endpoint)
+        {
+            // Specified
+            httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
+                ?? httpsOptions.ServerCertificate;
+
+            if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
+            {
+                // Fallback
+                Options.ApplyDefaultCert(httpsOptions);
+
+                // Ensure endpoint is reloaded if it used the default certificate and the certificate changed.
+                endpoint.Certificate = DefaultCertificateConfig;
+            }
+
+            return httpsOptions.ServerCertificate;
+        }
+
         private static X509Certificate2 AttachPemRSAKey(X509Certificate2 certificate, string keyText, string password)
         {
             using var rsa = RSA.Create();