Implement client certificate authentication #385
Conversation
|
Hi @tmds, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution! The agreement was validated by .NET Foundation and real humans are currently evaluating your PR. TTYL, DNFBOT; |
| @@ -12,6 +12,11 @@ public static class HttpsApplicationBuilderExtensions | |||
| { | |||
| public static IApplicationBuilder UseKestrelHttps(this IApplicationBuilder app, X509Certificate2 cert) | |||
There was a problem hiding this comment.
Should I remove this in favor of the HttpsConnectionFilterOptions overload?
There was a problem hiding this comment.
Not yet. This will be the most common configuration.
|
Issues for coreclr support: |
|
I'm having a possibility related issue: https://github.com/dotnet/corefx/issues/4533 |
| using Microsoft.AspNet.Server.Kestrel.Filter; | ||
|
|
||
| namespace Microsoft.AspNet.Server.Kestrel.Https | ||
| { | ||
| public class HttpsConnectionFilter : IConnectionFilter | ||
| { | ||
| private readonly X509Certificate2 _cert; | ||
| private readonly X509Certificate2 _serverCert; |
There was a problem hiding this comment.
You can just store the Options object as a field rather than duplicating them all. E.g. https://github.com/aspnet/BasicMiddleware/blob/dev/src/Microsoft.AspNet.HttpOverrides/OverrideHeaderMiddleware.cs#L20
|
Implements some of https://github.com/aspnet/KestrelHttpServer/issues/241 |
| { | ||
| previousPrepareRequest?.Invoke(features); | ||
|
|
||
| if (clientCertificate != null) |
There was a problem hiding this comment.
It would be nicer if the code could use SslStream.RemoteCertificate instead of this variable. But RemoteCertificate isn't the same instance as the one passed to the validation callback. The validation callback gets an X509Certificate2 while RemoteCertificate is an X509Certificate.
|
@halter73 fyi, the client certificate is also working on coreclr. |
|
@tmds can you rebase? |
| new TlsConnectionFeature {ClientCertificate = clientCertificate}); | ||
| } | ||
|
|
||
| features.Get<IHttpRequestFeature>().Scheme = "https"; |
There was a problem hiding this comment.
Could you add a test to check this?
|
|
| if (clientCertificate != null) | ||
| { | ||
| features.Set<ITlsConnectionFeature>( | ||
| new TlsConnectionFeature {ClientCertificate = clientCertificate}); |
|
|
|
Thanks "Master T" 😄 |
|
No problem. Thanks for your feedback. |
|
Question - Do we have full support for WCF services, configured in a web.config using X509 certificates? I've got myself upgraded to RC1, but my WCF calls no longer work. Is there any documentation I can use? Do I need to use something other than the web.config to configure my WCF endpoints? Can you point me in the right direction or do we not have support for what I'm trying to do? Let me know what's going on: Could not find endpoint element with name '' and contract '' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this name could be found in the client element. |
Not sure what you mean. ASP.NET 5 doesn't support WCF services. |
|
@davidfowl Is there a way around this non-support for WCF services? I suppose we could programmatically load the endpoints. Would Kestrel work with that? |
|
@davidfowl To Clarify, we just want to call WCF endpoints. We are not actually developing WCF endpoints on ASP.NET 5. Can Kestrel support calling WCF endpoints with X509 certs (multiples)? |
|
@Dev8063 sounds like you want the coreclr client libraries over here: https://github.com/dotnet/wcf |
|
@benaadams We're not to the point where our app runs off of dnxcore50 (i.e. the subset meant for cloud dev). Do these work with dnx451? I wouldn't see why they would not, but just thought I'd check. |
|
@Dev8063 you should be able to use regular libraries with the full framework; though you might want to ask in that repository or their glitter chat. |
Implement #332
Replaces #351