Skip to content

feat: support tls client hello bytes callback in Kestrel #61631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

feat: support tls client hello bytes callback in Kestrel #61631

wants to merge 16 commits into from
+859 −2

Conversation

DeagleGross
Copy link
Member

Supporting TLS Client Hello callback in Kestrel

HTTP.SYS contribution was done in this PR

Description

Adding a new property to HttpsConnectionAdapterOptions - TlsClientHelloBytesCallback (added to public API).
It allows to subscribe to the TLS client hello message parsed from the ConnectionContext.Transport.Input:

options.TlsClientHelloBytesCallback = (connection, clientHelloBytes) =>
{
    Logger.LogDebug("[Received TlsClientHelloBytesCallback] Connection: {0}; TLS client hello buffer: {1}", connection.ConnectionId, clientHelloBytes.Length);
};

If property HttpsConnectionAdapterOptions.TlsClientHelloBytesCallback is set (not null), then new middleware is added before HttpsConnectionMiddleware.

The implementation is doing the following:

  1. waiting for data to come
  2. if there is enough data, try to parse TLS and determine if we need to invoke a callback
  3. if there is not enough data, we either wait (not end of the stream) or simply continue the middleware pipeline

Fixes #60805

@DeagleGross DeagleGross self-assigned this Apr 23, 2025
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Apr 23, 2025
gfoidl
gfoidl reviewed Apr 23, 2025
View reviewed changes
Copy link
Member

@gfoidl gfoidl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- just a small comment.

BrennanConroy
BrennanConroy reviewed Apr 23, 2025
View reviewed changes
src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs
@@ -197,6 +198,15 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConn
listenOptions.IsTls = true;
listenOptions.HttpsOptions = httpsOptions;

if (httpsOptions.TlsClientHelloBytesCallback is not null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add this for the other UseHttps overload at the bottom of the file?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it has a different use case (allows setup via TlsHandshakeCallbackOptions), but I added a check if (listenOptions.HttpsOptions?.TlsClientHelloBytesCallback is not null)

Configure Kestrel to use HTTPS. This does not use default certificates or other defaults specified via config or
KestrelServerOptions.ConfigureHttpsDefaults(Action)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not use default certificates or other defaults specified via config or
KestrelServerOptions.ConfigureHttpsDefaults(Action)

Probably shouldn't add it then.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it does raise the question about client hello in that case. It also shows we have a client hello API already (although not very good) https://source.dot.net/#Microsoft.AspNetCore.Server.Kestrel.Core/TlsHandshakeCallbackContext.cs,97120719b6888c33,references

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to move the callback to TlsHandshakeCallbackOptions, but it requires setting OnConnection, and I dont think it should be required for TLS client hello.

I personally would leave it where we designed it - in HttpsConnectionAdapterOptions. Let me know what you think!

(talked with @halter73 about it as well)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I removed registration from overload using TlsHandshakeCallbackOptions, because it can result in 2 registrations of the middleware

@build-analysis build-analysis bot mentioned this pull request Apr 23, 2025
Open
3 tasks
@DeagleGross
Copy link
Member Author

add tests for SSL 2.0 and SSL 3.0

@DeagleGross
Copy link
Member Author

add tests for SSL 2.0 and SSL 3.0

done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gfoidl gfoidl gfoidl left review comments

@BrennanConroy BrennanConroy BrennanConroy left review comments

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

@mgravell mgravell Awaiting requested review from mgravell mgravell is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DeagleGross DeagleGross

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

API Proposal: Expose TLS client hello message
3 participants
@DeagleGross @gfoidl @BrennanConroy