Closed
Description
In 5.0 we added the following API so users could customize TLS settings on a per connection basis:
This directly exposes SslStream's ServerOptionsSelectionCallback delegate. The problem we're running into now is that customers need access to kestrel specific state inside that callback, like the ConnectionContext, transport information (IPs), enabling/disabling client cert renegotiation, etc..
There is an internal API used by the config code that wraps ServerOptionsSelectionCallback and exposes the ConnectionContext.
That API isn't very future proof, I'm already having to modify it for client certs (#33264). Modifying it to take a specific context object might be more future proof.
updated
+ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConnectionMiddlewareOptions options);
+ public class HttpsConnectionMiddlewareOptions
+ {
+ public Func<TlsCallbackContext, ValueTask<SslServerAuthenticationOptions>> OnConnection { get; set; } // Required
+ public object? OnConnectionState { get; set; }
+ public TimeSpan HandshakeTimeout { get; set; } = (our default)
+ }
+ public sealed class TlsCallbackContext
+ {
+ // ServerOptionsSelectionCallback parameters
+ public SslStream SslStream { get; }
+ public SslClientHelloInfo ClientHelloInfo { get; }
+ public object? State { get; }
+ public CancellationToken CancellationToken { get; }
+ // Kestrel specific
+ public ConnectionContext Connection { get; }
+ public bool AllowDelayedClientCertificateNegotation { get; set; }
+ }