Remove EndpointDefaults.Sni

Author: halter73

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

@@ -75,7 +75,6 @@ private EndpointDefaults ReadEndpointDefaults()
                 Protocols = ParseProtocols(configSection[ProtocolsKey]),
                 SslProtocols = ParseSslProcotols(configSection.GetSection(SslProtocolsKey)),
                 ClientCertificateMode = ParseClientCertificateMode(configSection[ClientCertificateModeKey]),
-                Sni = ReadSni(configSection.GetSection(SniKey), EndpointDefaultsKey)
             };
         }
 

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -260,22 +260,6 @@ internal void ApplyHttpsDefaults(HttpsConnectionAdapterOptions httpsOptions)
             }
         }
 
-        internal SniOptionsSelector GetDefaultSniOptionsSelector(HttpsConnectionAdapterOptions fallbackHttpsOptions, HttpProtocols fallbackHttpProtocols)
-        {
-            if (ConfigurationReader.EndpointDefaults.Sni.Count == 0)
-            {
-                return null;
-            }
-
-            return new SniOptionsSelector(
-                ConfigurationReader.EndpointDefaultsKey,
-                ConfigurationReader.EndpointDefaults.Sni,
-                CertificateConfigLoader,
-                fallbackHttpsOptions,
-                fallbackHttpProtocols,
-                HttpsLogger);
-        }
-
         public void Load()
         {
             if (_loaded)
@@ -352,13 +336,6 @@ public void Load()
                         endpoint.ClientCertificateMode = ConfigurationReader.EndpointDefaults.ClientCertificateMode;
                     }
 
-                    if (endpoint.Sni.Count == 0)
-                    {
-                        // Ensure endpoint is reloaded if it used the default SNI config and it changed.
-                        // No need to configure httpsOptions for SNI since the SniOptionsSelector will now use the EndpointDefaults SNI config.
-                        endpoint.Sni = ConfigurationReader.EndpointDefaults.Sni;
-                    }
-
                     // A cert specified directly on the endpoint overrides any defaults.
                     httpsOptions.ServerCertificate = CertificateConfigLoader.LoadCertificate(endpoint.Certificate, endpoint.Name)
                         ?? httpsOptions.ServerCertificate;

src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs

@@ -184,21 +184,12 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, Action<Ht
             configureOptions(options);
             listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
 
-            var sniOptionsSelector = listenOptions.KestrelServerOptions.ConfigurationLoader?.GetDefaultSniOptionsSelector(options, listenOptions.Protocols);
-
-            if (options.ServerCertificate == null && options.ServerCertificateSelector == null && sniOptionsSelector == null)
+            if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
             {
                 throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
             }
 
-            if (sniOptionsSelector is null)
-            {
-                return listenOptions.UseHttps(options);
-            }
-            else
-            {
-                return listenOptions.UseHttps(SniOptionsSelector.OptionsCallback, sniOptionsSelector, options.HandshakeTimeout);
-            }
+            return listenOptions.UseHttps(options);
         }
 
         // Use Https if a default cert is available
@@ -208,22 +199,12 @@ internal static bool TryUseHttps(this ListenOptions listenOptions)
             listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
             listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
 
-            var sniOptionsSelector = listenOptions.KestrelServerOptions.ConfigurationLoader?.GetDefaultSniOptionsSelector(options, listenOptions.Protocols);
-
-            if (options.ServerCertificate == null && options.ServerCertificateSelector == null && sniOptionsSelector == null)
+            if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
             {
                 return false;
             }
 
-            if (sniOptionsSelector is null)
-            {
-                listenOptions.UseHttps(options);
-            }
-            else
-            {
-                listenOptions.UseHttps(SniOptionsSelector.OptionsCallback, sniOptionsSelector, options.HandshakeTimeout);
-            }
-
+            listenOptions.UseHttps(options);
             return true;
         }
 

src/Servers/Kestrel/Core/test/SniOptionsSelectorTests.cs

@@ -674,7 +674,7 @@ public void CloneSslOptionsClonesAllProperties()
                 // Defaults to true
                 AllowRenegotiation = false,
                 // Defaults to null
-                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
+                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http2 },
                 // Defaults to X509RevocationMode.NoCheck
                 CertificateRevocationCheckMode = X509RevocationMode.Offline,
                 // Defaults to null

src/Servers/Kestrel/Kestrel/test/ConfigurationReaderTests.cs

@@ -275,7 +275,7 @@ public void ReadEndpointWithNoSslProtocolSettings_ReturnsNull()
         }
 
         [Fact]
-        public void ReadEndpointsOrEndpointDefaultsWithEmptySniSection_ReturnsEmptyCollection()
+        public void ReadEndpointWithEmptySniSection_ReturnsEmptyCollection()
         {
             var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
             {
@@ -287,32 +287,25 @@ public void ReadEndpointsOrEndpointDefaultsWithEmptySniSection_ReturnsEmptyColle
             var endpoint = reader.Endpoints.First();
             Assert.NotNull(endpoint.Sni);
             Assert.False(endpoint.Sni.Any());
-
-            var endpointDefaults = reader.EndpointDefaults;
-            Assert.NotNull(endpointDefaults.Sni);
-            Assert.False(endpointDefaults.Sni.Any());
         }
 
         [Fact]
-        public void ReadEndpointsOrEndpointDefaultsWithEmptySniKey_Throws()
+        public void ReadEndpointWithEmptySniKey_Throws()
         {
             var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
             {
                 new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
                 new KeyValuePair<string, string>("Endpoints:End1:Sni::Protocols", "Http1"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni::Protocols", "Http1"),
             }).Build();
 
             var reader = new ConfigurationReader(config);
             var end1Ex = Assert.Throws<InvalidOperationException>(() => reader.Endpoints);
-            var defaultEx = Assert.Throws<InvalidOperationException>(() => reader.EndpointDefaults);
 
             Assert.Equal(CoreStrings.FormatSniNameCannotBeEmpty("End1"), end1Ex.Message);
-            Assert.Equal(CoreStrings.FormatSniNameCannotBeEmpty("EndpointDefaults"), defaultEx.Message);
         }
 
         [Fact]
-        public void ReadEndpointsOrEndpointDefaultsWithSniConfigured_ReturnsCorrectValue()
+        public void ReadEndpointWithSniConfigured_ReturnsCorrectValue()
         {
             var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
             {
@@ -322,11 +315,6 @@ public void ReadEndpointsOrEndpointDefaultsWithSniConfigured_ReturnsCorrectValue
                 new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:Certificate:Path", "/path/cert.pfx"),
                 new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:Certificate:Password", "certpassword"),
                 new KeyValuePair<string, string>("Endpoints:End1:SNI:*.example.org:ClientCertificateMode", "AllowCertificate"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:Protocols", "Http1"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:SslProtocols:0", "Tls12"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:Certificate:Path", "/path/cert.pfx"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:Certificate:Password", "certpassword"),
-                new KeyValuePair<string, string>("EndpointDefaults:SNI:*.example.org:ClientCertificateMode", "AllowCertificate"),
             }).Build();
 
             var reader = new ConfigurationReader(config);
@@ -343,7 +331,6 @@ static void VerifySniConfig(SniConfig config)
             }
 
             VerifySniConfig(reader.Endpoints.First().Sni["*.Example.org"]);
-            VerifySniConfig(reader.EndpointDefaults.Sni["*.Example.org"]);
         }
 
         [Fact]

src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs

@@ -831,51 +831,6 @@ public void DefaultEndpointConfigureSection_ConfigureHttpsDefaultsCanOverrideCli
             Assert.True(ran1);
         }
 
-        [Fact]
-        public void DefaultConfigSection_CanConfigureSni()
-        {
-            var serverOptions = CreateServerOptions();
-
-            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
-            {
-                new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:Protocols", "None"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:SslProtocols:0", "Tls12"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:ClientCertificateMode", "AllowCertificate"),
-            }).Build();
-
-            var (_, endpointsToStart) = serverOptions.Configure(config).Reload();
-            var end1 = Assert.Single(endpointsToStart);
-            var (name, sniConfig) = Assert.Single(end1?.EndpointConfig?.Sni);
-
-            Assert.Equal("*.example.org", name);
-            Assert.Equal(HttpProtocols.None, sniConfig.Protocols);
-            Assert.Equal(SslProtocols.Tls12, sniConfig.SslProtocols);
-            Assert.Equal(ClientCertificateMode.AllowCertificate, sniConfig.ClientCertificateMode);
-        }
-
-        [Fact]
-        public void DefaultConfigSection_SniConfigurationIsOverriddenByNotMergedWithEndpointSpecificConfigSection()
-        {
-            var serverOptions = CreateServerOptions();
-
-            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
-            {
-                new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
-                new KeyValuePair<string, string>("Endpoints:End1:Sni:*:Protocols", "None"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:Protocols", "Http1"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:SslProtocols:0", "Tls12"),
-                new KeyValuePair<string, string>("EndpointDefaults:Sni:*.example.org:ClientCertificateMode", "AllowCertificate"),
-            }).Build();
-
-            var (_, endpointsToStart) = serverOptions.Configure(config).Reload();
-            var end1 = Assert.Single(endpointsToStart);
-            var (name, sniConfig) = Assert.Single(end1?.EndpointConfig?.Sni);
-
-            Assert.Equal("*", name);
-            Assert.Equal(HttpProtocols.None, sniConfig.Protocols);
-        }
-
         [Fact]
         public void Reload_IdentifiesEndpointsToStartAndStop()
         {

src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs

@@ -95,73 +95,6 @@ void ConfigureListenOptions(ListenOptions listenOptions)
             }
         }
 
-        [ConditionalFact]
-        [OSSkipCondition(OperatingSystems.MacOSX, SkipReason = "Missing SslStream ALPN support: https://github.com/dotnet/corefx/issues/30492")]
-        [MinimumOSVersion(OperatingSystems.Windows, WindowsVersions.Win81)]
-        public async Task CanUseDefaultSniConfiguration()
-        {
-            var configuration = new ConfigurationBuilder().AddInMemoryCollection(new Dictionary<string, string>
-            {
-                ["EndpointDefaults:Sni:*.example.org:Protocols"] = "Http1",
-                ["EndpointDefaults:Sni:dot.net:Protocols"] = "None",
-            }).Build();
-
-            var options = new KestrelServerOptions();
-            var env = new Mock<IHostEnvironment>();
-            env.SetupGet(e => e.ContentRootPath).Returns(Directory.GetCurrentDirectory());
-
-            options.ApplicationServices = new ServiceCollection()
-                .AddLogging()
-                .AddSingleton(env.Object)
-                .BuildServiceProvider();
-
-            options.Configure(configuration).Load();
-
-            void ConfigureListenOptions(ListenOptions listenOptions)
-            {
-                listenOptions.KestrelServerOptions = options;
-                listenOptions.UseHttps(_x509Certificate2);
-                // We don't need to set listenOptions.Protocols since it will be flowed through the HttpProtocolsFeature
-            };
-
-            await using var server = new TestServer(context => Task.CompletedTask, new TestServiceContext(LoggerFactory), ConfigureListenOptions);
-
-            using var exampleConnection = server.CreateConnection();
-            var exampleSslOptions = new SslClientAuthenticationOptions
-            {
-                TargetHost = "a.example.org",
-                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http11, SslApplicationProtocol.Http2 },
-            };
-
-            using var exampleStream = OpenSslStream(exampleConnection.Stream);
-            await exampleStream.AuthenticateAsClientAsync(exampleSslOptions);
-
-            Assert.Equal(SslApplicationProtocol.Http11, exampleStream.NegotiatedApplicationProtocol);
-
-            using var dotnetConnection = server.CreateConnection();
-            var dotnetSslOptions = new SslClientAuthenticationOptions
-            {
-                TargetHost = "dot.net",
-                ApplicationProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http11, SslApplicationProtocol.Http2 },
-            };
-
-            using var dotnetStream = OpenSslStream(dotnetConnection.Stream);
-            await dotnetStream.AuthenticateAsClientAsync(dotnetSslOptions);
-
-            // HttpProtocols.None was configured, so there is no negotiated protocol
-            Assert.True(dotnetStream.NegotiatedApplicationProtocol.Protocol.IsEmpty);
-
-            using var emptyNameConnection = server.CreateConnection();
-            var emptyNameSslOptions = new SslClientAuthenticationOptions
-            {
-                TargetHost = "",
-            };
-
-            using var refusedStream = OpenSslStream(emptyNameConnection.Stream);
-            // We expect the handshake to throw here because Kestrel refuses the connection due to there being no TargetHost and now wildcard config.
-            await Assert.ThrowsAsync<IOException>(async () => await refusedStream.AuthenticateAsClientAsync(emptyNameSslOptions));
-        }
-
         [Fact]
         public async Task HandshakeDetailsAreAvailable()
         {