Implement client certificate authentication #351
Conversation
Task.Run eventually ends up being QueueUserWorkItem. The returned task is ignored, so no added goodness. Short running item. Cut out the middleman
|
Hi @tmds, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution! The agreement was validated by .NET Foundation and real humans are currently evaluating your PR. TTYL, DNFBOT; |
| @@ -14,6 +14,8 @@ | |||
| using Microsoft.AspNet.Server.Kestrel.Infrastructure; | |||
| using Microsoft.Extensions.Logging; | |||
| using Microsoft.Extensions.Primitives; | |||
| using System.Security.Cryptography.X509Certificates; | |||
| using Microsoft.AspNet.Http.Features.Internal; | |||
|
@tmds Take a look at the appveyor failure |
| @@ -21,7 +26,7 @@ public static IApplicationBuilder UseKestrelHttps(this IApplicationBuilder app, | |||
|
|
|||
| var prevFilter = serverInfo.ConnectionFilter ?? new NoOpConnectionFilter(); | |||
|
|
|||
| serverInfo.ConnectionFilter = new HttpsConnectionFilter(cert, prevFilter); | |||
| serverInfo.ConnectionFilter = new HttpsConnectionFilter(cert, mode, prevFilter); | |||
There was a problem hiding this comment.
HttpsConnectionFilter really should have an Options class like we do with most middleware.
There was a problem hiding this comment.
|
I think we need to make the IConnectionFilter abstraction more powerful so all of the client cert work can happen in the https package through extension points. @halter73 |
await rather than synchronously blocking and then returning a Task.FromResult
…otnet5 SslStream does)
Resolves #339
- This should stop the AVs we've been seeing in some of our test runs
…not provide a certificate and mode is set to Allow/RequireCertificate
…ertificate is passed to the HttpContext
|
@davidfowl @Tratcher can you do another review?
|
| @@ -2,13 +2,18 @@ | |||
| // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. | |||
|
|
|||
| #if DNX451 | |||
There was a problem hiding this comment.
This is looking good. Thanks for adding the HttpsConnectionFilterOptions.
Recently we enabled these HttpsConnectionFilterTests on CoreClr since SslStream is now available for that.
Can you rebase this PR on dev and verify that client certificates work with CoreClr? Thanks!
There was a problem hiding this comment.
It doesn't work on CoreClr. The ssl validation callback gets a X509Certificate and the constructor X509Certificate2(X509Certificate) to convert it doesn't exist (yet).
I created an issue: https://github.com/dotnet/corefx/issues/4510
There was a problem hiding this comment.
And another one: https://github.com/dotnet/corefx/issues/4512
…tionFeature in HttpsConnectionFilter
…otnet5 SslStream does)
…not provide a certificate and mode is set to Allow/RequireCertificate
…ertificate is passed to the HttpContext
…tionFeature in HttpsConnectionFilter
|
ok, rebasing did not work as expected... |
|
I guess I did something wrong... |
|
@tmnds do this you will get a prompt squash all 36 comments only leave the one that you want and then resolve merge conflicts if their are any, and you are ready for the last step ... Note: if origin refers to your kestrel fork otherwise replace origin accordingly. git push origin client_certificate --force |
|
I made another pull request to replace this one #385 @shahid-pk thanks for your suggestion. I was unsure how to apply it. Executing the rebase command gave me a list of all commits. About half of these commits were part of the pull request, the other half came from 'rebasing'. It isn't clear to me what I should should select for those type of commits: pick, squash, .... I've read on stackoverflow I should have done a 'force push' to avoid combining the two histories. |
Implement client certificate authentication (#332)