Skip to content

Use default SslProtocols in Kestrel #22437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 4, 2020
Merged

Use default SslProtocols in Kestrel #22437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7437a64
Use default SslProtocols in Kestrel
halter73 Jun 1, 2020
9f06080
Fix tests
halter73 Jun 1, 2020
a15e233
Log "SslProtocol" after successful handshake
halter73 Jun 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/Servers/Kestrel/Core/src/CoreStrings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -602,4 +602,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
<data name="GreaterThanOrEqualToZeroRequired" xml:space="preserve">
<value>A value greater than or equal to zero is required.</value>
</data>
<data name="HttpsConnectionEstablished" xml:space="preserve">
<value>Connection "{connectionId}" established using the following protocol: {protocol}</value>
</data>
</root>
4 changes: 2 additions & 2 deletions src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ public class HttpsConnectionAdapterOptions
public HttpsConnectionAdapterOptions()
{
ClientCertificateMode = ClientCertificateMode.NoCertificate;
SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
HandshakeTimeout = TimeSpan.FromSeconds(10);
}

Expand Down Expand Up @@ -61,7 +60,8 @@ public HttpsConnectionAdapterOptions()
public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation { get; set; }

/// <summary>
/// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.Tls12" /> and <see cref="SslProtocols.Tls11"/>.
/// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.None" /> which allows the operating system to choose the best protocol to use,
/// and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this default.
/// </summary>
public SslProtocols SslProtocols { get; set; }

Expand Down
2 changes: 2 additions & 0 deletions src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,8 @@ public async Task OnConnectionAsync(ConnectionContext context)

KestrelEventSource.Log.TlsHandshakeStop(context, feature);

_logger.LogDebug(3, CoreStrings.HttpsConnectionEstablished, context.ConnectionId, sslStream.SslProtocol);

var originalTransport = context.Transport;

try
Expand Down
3 changes: 2 additions & 1 deletion src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,12 +362,13 @@ void ConfigureListenOptions(ListenOptions listenOptions)
}

[Fact]
public async Task DoesNotSupportTls10()
public async Task Tls10CanBeDisabled()
{
void ConfigureListenOptions(ListenOptions listenOptions)
{
listenOptions.UseHttps(options =>
{
options.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
options.ServerCertificate = _x509Certificate2;
options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
options.AllowAnyClientCertificate();
Expand Down
5 changes: 4 additions & 1 deletion src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -366,7 +366,10 @@ public async Task ClientAttemptingToUseUnsupportedProtocolIsLoggedAsDebug()
new TestServiceContext(LoggerFactory),
listenOptions =>
{
listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"));
listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"), httpsOptions =>
{
httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens without this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm deleting my last comment and resubmitting so those reading this via notifications or email will hopefully be less confused. I wrote "is not" in the last comment when I meant "is".

TLS 1.0 is not allowed by default on my Windows 10 Insider Preview machine. This was brought up as a problem in #14997, is why we didn't use the defaults in the first place, and is why I was asking about whether we should log at a higher level if TLS 1.0 or SSL is used.

});
}))
{
using (var connection = server.CreateConnection())
Expand Down