Skip to content

Kestrel Override Client Cert Validation #11423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jun 21, 2019
Merged

Kestrel Override Client Cert Validation #11423

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
767e464
Kestrel allow any client cert
mikaelm12 Jun 20, 2019
0d9e202
update
mikaelm12 Jun 20, 2019
4614f69
newline
mikaelm12 Jun 20, 2019
a4414f4
pr feedback
mikaelm12 Jun 20, 2019
6c7e8e2
update tests
mikaelm12 Jun 20, 2019
d632669
unused using
mikaelm12 Jun 20, 2019
dd5aca5
GenerateReferenceSource
mikaelm12 Jun 20, 2019
d2e442f
offline desgin change
mikaelm12 Jun 20, 2019
49414fd
clean up
mikaelm12 Jun 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https
public class HttpsConnectionAdapterOptions
{
private TimeSpan _handshakeTimeout;
private Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> _clientCertificateValidation;

/// <summary>
/// Initializes a new instance of <see cref="HttpsConnectionAdapterOptions"/>.
Expand Down Expand Up @@ -58,7 +59,14 @@ public HttpsConnectionAdapterOptions()
/// <summary>
/// Specifies a callback for additional client certificate validation that will be invoked during authentication.
/// </summary>
public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation { get; set; }
public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation {
get
{
return AllowAnyClientCertificate ? (_, __, ___) => true : _clientCertificateValidation;
}

set => _clientCertificateValidation = value;
}

/// <summary>
/// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.Tls12" /> and <see cref="SslProtocols.Tls11"/>.
Expand All @@ -76,6 +84,11 @@ public HttpsConnectionAdapterOptions()
/// </summary>
public bool CheckCertificateRevocation { get; set; }

/// <summary>
/// When set to true, allows any client certificate.
/// </summary>
public bool AllowAnyClientCertificate { get; set; }

/// <summary>
/// Provides direct configuration of the <see cref="SslServerAuthenticationOptions"/> on a per-connection basis.
/// This is called after all of the other settings have already been applied.
Expand Down
16 changes: 15 additions & 1 deletion src/Servers/Kestrel/Kestrel/test/HttpsConnectionAdapterOptionsTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Copyright (c) .NET Foundation. All rights reserved.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: remove diff.

// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Net.Security;
using System.Threading;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;
Expand All @@ -17,6 +18,19 @@ public void HandshakeTimeoutDefault()
Assert.Equal(TimeSpan.FromSeconds(10), new HttpsConnectionAdapterOptions().HandshakeTimeout);
}

[Fact]
public void AllowAnyCertificateOverridesValidationFunc()
{
var connectionAdapterOptions = new HttpsConnectionAdapterOptions
{
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
ClientCertificateValidation = (x509Cert, x509Chain, sslPolicyErrors) => false,
AllowAnyClientCertificate = true
};

Assert.True(connectionAdapterOptions.ClientCertificateValidation(null, null, SslPolicyErrors.None));
}

[Theory]
[MemberData(nameof(TimeoutValidData))]
public void HandshakeTimeoutValid(TimeSpan value)
Expand Down
6 changes: 3 additions & 3 deletions src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ void ConfigureListenOptions(ListenOptions listenOptions)
{
ServerCertificate = _x509Certificate2,
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
ClientCertificateValidation = (certificate, chain, sslPolicyErrors) => true
AllowAnyClientCertificate = true
});
}

Expand Down Expand Up @@ -392,7 +392,7 @@ void ConfigureListenOptions(ListenOptions listenOptions)
{
ServerCertificate = _x509Certificate2,
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
ClientCertificateValidation = (certificate, chain, sslPolicyErrors) => true
AllowAnyClientCertificate = true
});
}

Expand Down Expand Up @@ -507,7 +507,7 @@ void ConfigureListenOptions(ListenOptions listenOptions)
{
ServerCertificate = _x509Certificate2,
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
ClientCertificateValidation = (certificate, chain, sslPolicyErrors) => true
AllowAnyClientCertificate = true
});
}

Expand Down