Skip to content

Load ClientCertificateMode from config #24076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 23, 2020
Merged

Load ClientCertificateMode from config #24076

merged 6 commits into from
Jul 23, 2020

Conversation

@Kahbazi
Copy link
Member

@Kahbazi Kahbazi commented Jul 17, 2020

Fixes #18660

@ghost ghost added the area-servers label Jul 17, 2020
Tratcher
Tratcher reviewed Jul 21, 2020
View reviewed changes
src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs Outdated
httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
?? httpsOptions.ServerCertificate;

httpsOptions.ClientCertificateMode = ConfigurationReader.ClientCertificateMode ?? httpsOptions.ClientCertificateMode;
Copy link
Member

@Tratcher Tratcher Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Organization: This was inserted between to related code sections dealing with server certs. Move it up above line 293.

src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs Outdated
return endpoints;
}

private ClientCertificateMode? ReadClientCertificateMode()
Copy link
Member

@Tratcher Tratcher Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only supports a global setting, not a setting per endpoint?

Copy link
Member Author

@Kahbazi Kahbazi Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find the code which options for each endpoint is being set from config. Could you point me to it please?

Copy link
Member

@Tratcher Tratcher Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aspnetcore/src/Servers/Kestrel/Core/src/Internal/ConfigurationReader.cs

Line 98 in 0506325

SslProtocols = ParseSslProcotols(endpointConfig.GetSection(SslProtocolsKey))

Copy link
Member Author

@Kahbazi Kahbazi Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uhhmm. I'm confused! EndpointConfig doesn't have a ClientCertificateMode property. Am I missing something? Is it even possible to set ClientCertificateMode per endpoint?

Copy link
Member

@Tratcher Tratcher Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EndpointConfig is an internal config construct, you should add ClientCertificateMode there.

halter73
halter73 reviewed Jul 21, 2020
View reviewed changes
halter73
halter73 reviewed Jul 21, 2020
View reviewed changes
src/Servers/Kestrel/Core/src/KestrelConfigurationLoader.cs Outdated
httpsOptions.SslProtocols = endpoint.SslProtocols.Value;
}

httpsOptions.ClientCertificateMode = endpoint.ClientCertificateMode ?? ConfigurationReader.ClientCertificateMode ?? httpsOptions.ClientCertificateMode;
Copy link
Member

@halter73 halter73 Jul 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should apply the global ConfigurationReader.ClientCertificateMode before calling ApplyHttpsDefaults then apply endpoint.ClientCertificateMode afterwards. This way global config doesn't override what was done in code via ConfigureHttpsDefaults. Our handling of SslProtocols is very similar.

We should also add some KestrelConfigurationLoader tests to verify whatever behavior we decide on.

@Tratcher Tratcher merged commit 8b79720 into dotnet:master Jul 23, 2020
@Tratcher
Copy link
Member

Tratcher commented Jul 23, 2020

Thanks

@Tratcher Tratcher added this to the 5.0.0-rc1 milestone Jul 23, 2020
@Kahbazi Kahbazi deleted the kahbazi/clientCertificateMode branch July 23, 2020 03:22
@kamranayub
Copy link

kamranayub commented Jul 25, 2020

You're the best @Kahbazi thank you, a small quality of life improvement but much appreciated 🥇

@halter73 halter73 mentioned this pull request Sep 21, 2020
Closed
@JamesNK JamesNK mentioned this pull request Sep 23, 2020
Closed
2 tasks
@BrennanConroy BrennanConroy mentioned this pull request May 5, 2021
Closed
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halter73 halter73 halter73 approved these changes

@Tratcher Tratcher Tratcher approved these changes

@jkotalik jkotalik Awaiting requested review from jkotalik

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Milestone

5.0.0-rc1

Development

Successfully merging this pull request may close these issues.

Setting the ClientCertificateMode Kestrel server option from an appsettings.json file.

5 participants

@Kahbazi @Tratcher @kamranayub @halter73 @amcasey