Validate that HTTPS config is not applied to non-HTTPS endpoints

Author: halter73

src/Servers/Kestrel/Core/src/CoreStrings.resx

@@ -629,4 +629,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="SniNameCannotBeEmpty" xml:space="preserve">
     <value>The endpoint {endpointName} is invalid because an SNI configuration section has an empty string as its key. Use a wildcard ('*') SNI section to match all server names.</value>
   </data>
+  <data name="EndpointHasUnusedHttpsConfig" xml:space="preserve">
+    <value>The non-HTTPS endpoint {endpointName} includes HTTPS-only configuration for {keyName}.</value>
+  </data>
 </root>

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

@@ -16,13 +16,12 @@ internal class ConfigurationReader
         private const string CertificatesKey = "Certificates";
         private const string CertificateKey = "Certificate";
         private const string SslProtocolsKey = "SslProtocols";
+        private const string EndpointDefaultsKey = "EndpointDefaults";
         private const string EndpointsKey = "Endpoints";
         private const string UrlKey = "Url";
         private const string ClientCertificateModeKey = "ClientCertificateMode";
         private const string SniKey = "Sni";
 
-        internal const string EndpointDefaultsKey = "EndpointDefaults";
-
         private readonly IConfiguration _configuration;
 
         private IDictionary<string, CertificateConfig> _certificates;
@@ -131,7 +130,7 @@ private IEnumerable<EndpointConfig> ReadEndpoints()
             return endpoints;
         }
 
-        private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, string endpointName)
+        private static Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, string endpointName)
         {
             var sniDictionary = new Dictionary<string, SniConfig>(0, StringComparer.OrdinalIgnoreCase);
 
@@ -177,7 +176,7 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, s
         }
 
 
-        private ClientCertificateMode? ParseClientCertificateMode(string clientCertificateMode)
+        private static ClientCertificateMode? ParseClientCertificateMode(string clientCertificateMode)
         {
             if (Enum.TryParse<ClientCertificateMode>(clientCertificateMode, ignoreCase: true, out var result))
             {
@@ -211,6 +210,29 @@ private Dictionary<string, SniConfig> ReadSni(IConfigurationSection sniConfig, s
                 return acc;
             });
         }
+
+        internal static void ThrowIfContainsHttpsOnlyConfiguration(EndpointConfig endpoint)
+        {
+            if (endpoint.Certificate.IsFileCert || endpoint.Certificate.IsStoreCert)
+            {
+                throw new InvalidOperationException(CoreStrings.FormatEndpointHasUnusedHttpsConfig(endpoint.Name, CertificateKey));
+            }
+
+            if (endpoint.ClientCertificateMode.HasValue)
+            {
+                throw new InvalidOperationException(CoreStrings.FormatEndpointHasUnusedHttpsConfig(endpoint.Name, ClientCertificateModeKey));
+            }
+
+            if (endpoint.SslProtocols.HasValue)
+            {
+                throw new InvalidOperationException(CoreStrings.FormatEndpointHasUnusedHttpsConfig(endpoint.Name, SslProtocolsKey));
+            }
+
+            if (endpoint.Sni.Count > 0)
+            {
+                throw new InvalidOperationException(CoreStrings.FormatEndpointHasUnusedHttpsConfig(endpoint.Name, SniKey));
+            }
+        }
     }
 
     // "EndpointDefaults": {
@@ -223,7 +245,6 @@ internal class EndpointDefaults
         public HttpProtocols? Protocols { get; set; }
         public SslProtocols? SslProtocols { get; set; }
         public ClientCertificateMode? ClientCertificateMode { get; set; }
-        public Dictionary<string, SniConfig> Sni { get; set; }
     }
 
     // "EndpointName": {

src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs

@@ -295,6 +295,11 @@ public void Load()
             {
                 var listenOptions = AddressBinder.ParseAddress(endpoint.Url, out var https);
 
+                if (!https)
+                {
+                    ConfigurationReader.ThrowIfContainsHttpsOnlyConfiguration(endpoint);
+                }
+
                 Options.ApplyEndpointDefaults(listenOptions);
 
                 if (endpoint.Protocols.HasValue)

src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs

@@ -432,6 +432,88 @@ public void ConfigureEndpointDevelopmentCertificateGetsIgnoredIfPfxFileDoesNotEx
             }
         }
 
+        [Fact]
+        public void ConfigureEndpoint_ThrowsWhen_HttpsConfigIsDeclaredInNonHttpsEndpoints()
+        {
+            var serverOptions = CreateServerOptions();
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                // We shouldn't need to specify a real cert, because KestrelConfigurationLoader should check whether the endpoint requires a cert before trying to load it.
+                new KeyValuePair<string, string>("Endpoints:End1:Certificate:Path", "fakecert.pfx"),
+            }).Build();
+
+            var ex = Assert.Throws<InvalidOperationException>(() => serverOptions.Configure(config).Load());
+            Assert.Equal(CoreStrings.FormatEndpointHasUnusedHttpsConfig("End1", "Certificate"), ex.Message);
+
+            config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:Certificate:Subject", "example.org"),
+            }).Build();
+
+            ex = Assert.Throws<InvalidOperationException>(() => serverOptions.Configure(config).Load());
+            Assert.Equal(CoreStrings.FormatEndpointHasUnusedHttpsConfig("End1", "Certificate"), ex.Message);
+
+            config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:ClientCertificateMode", ClientCertificateMode.RequireCertificate.ToString()),
+            }).Build();
+
+            ex = Assert.Throws<InvalidOperationException>(() => serverOptions.Configure(config).Load());
+            Assert.Equal(CoreStrings.FormatEndpointHasUnusedHttpsConfig("End1", "ClientCertificateMode"), ex.Message);
+
+            config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:SslProtocols:0", SslProtocols.Tls13.ToString()),
+            }).Build();
+
+            ex = Assert.Throws<InvalidOperationException>(() => serverOptions.Configure(config).Load());
+            Assert.Equal(CoreStrings.FormatEndpointHasUnusedHttpsConfig("End1", "SslProtocols"), ex.Message);
+
+            config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:Protocols", HttpProtocols.Http1.ToString()),
+            }).Build();
+
+            ex = Assert.Throws<InvalidOperationException>(() => serverOptions.Configure(config).Load());
+            Assert.Equal(CoreStrings.FormatEndpointHasUnusedHttpsConfig("End1", "Sni"), ex.Message);
+        }
+
+        [Fact]
+        public void ConfigureEndpoint_DoesNotThrowWhen_HttpsConfigIsDeclaredInEndpointDefaults()
+        {
+            var serverOptions = CreateServerOptions();
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("EndpointDefaults:ClientCertificateMode", ClientCertificateMode.RequireCertificate.ToString()),
+            }).Build();
+
+            var (_, endpointsToStart) = serverOptions.Configure(config).Reload();
+            var end1 = Assert.Single(endpointsToStart);
+            Assert.NotNull(end1?.EndpointConfig);
+            Assert.Null(end1.EndpointConfig.ClientCertificateMode);
+
+            serverOptions = CreateServerOptions();
+
+            config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "http://*:5001"),
+                new KeyValuePair<string, string>("EndpointDefaults:SslProtocols:0", SslProtocols.Tls13.ToString()),
+            }).Build();
+
+            (_, endpointsToStart) = serverOptions.Configure(config).Reload();
+            end1 = Assert.Single(endpointsToStart);
+            Assert.NotNull(end1?.EndpointConfig);
+            Assert.Null(end1.EndpointConfig.SslProtocols);
+        }
+
         [ConditionalTheory]
         [InlineData("http1", HttpProtocols.Http1)]
         // [InlineData("http2", HttpProtocols.Http2)] // Not supported due to missing ALPN support. https://github.com/dotnet/corefx/issues/33016
@@ -746,6 +828,36 @@ public void EndpointConfigureSection_CanSetClientCertificateMode()
             Assert.True(ran2);
         }
 
+
+        [Fact]
+        public void EndpointConfigureSection_CanConfigureSni()
+        {
+            var serverOptions = CreateServerOptions();
+            var certPath = Path.Combine("shared", "TestCertificates", "https-ecdsa.pem");
+            var keyPath = Path.Combine("shared", "TestCertificates", "https-ecdsa.key");
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Endpoints:End1:Url", "https://*:5001"),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:Protocols", HttpProtocols.None.ToString()),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:SslProtocols:0", SslProtocols.Tls13.ToString()),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:ClientCertificateMode", ClientCertificateMode.RequireCertificate.ToString()),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:Certificate:Path", certPath),
+                new KeyValuePair<string, string>("Endpoints:End1:Sni:*.example.org:Certificate:KeyPath", keyPath),
+            }).Build();
+
+            var (_, endpointsToStart) = serverOptions.Configure(config).Reload();
+            var end1 = Assert.Single(endpointsToStart);
+            var (name, sniConfig) = Assert.Single(end1?.EndpointConfig?.Sni);
+
+            Assert.Equal("*.example.org", name);
+            Assert.Equal(HttpProtocols.None, sniConfig.Protocols);
+            Assert.Equal(SslProtocols.Tls13, sniConfig.SslProtocols);
+            Assert.Equal(ClientCertificateMode.RequireCertificate, sniConfig.ClientCertificateMode);
+            Assert.Equal(certPath, sniConfig.Certificate.Path);
+            Assert.Equal(keyPath, sniConfig.Certificate.KeyPath);
+        }
+
         [Fact]
         public void EndpointConfigureSection_CanOverrideClientCertificateModeFromConfigureHttpsDefaults()
         {