Aspnetcore: Expose CipherSuitesPolicy on Kestrel

@davidfowl:

it would be good if we could expose this entire type (if it makes sense) so we could avoid the property by property copy when new features are added.

Since we need to create one per connection you could expose a Action<SslServerAuthenticationOptions> to let people tweak the configuration, but it's not the simplest type to configure:

https://github.com/aspnet/AspNetCore/blob/7bd1e5ea2022039e23d0f83f0535a7570891176b/src/Servers/Kestrel/Core/src/Internal/HttpsConnectionAdapter.cs#L135-L171

Let's add the configuration callback.

Is there an example showing how to set the cipher suites in Kestrel? We are running our .NET core service in a Linux container and would love to see how we can make our service compliant. Thanks!

@Wayne-Xiong no, the in-app feature hasn't been built yet. For now you need to configure your ciphers directly on the machine in OpenSsl.

Thanks Chris. Do we have an estimate on when we will have this feature ready? Also, do you know how to config that in OpenSSL? Is there a sample somewhere we can take a look?

This is scheduled for 3.0.0-preivew6, our next milestone.

@blowdart for OpenSsl config suggestions.

AFAIK You can't configure it in OpenSSL without recompiling a custom version. Instead you'd block in nginx or apache (https://medium.com/@davetempleton/tls-configuration-cipher-suites-and-protocols-a01ee7005778)

Thanks guys. @Tratcher, when is the 3.0.0-preview6 release scheduled? Would love to understand about the timeline a little bit. Thanks!

@shirhatti for schedule questions.

when is the 3.0.0-preview6 release scheduled?

We don't commit to specific dates for individual previews, but we're currently aiming for early June for preview 6. To view our current committed timeline, see the .NET Core Roadmap.

We should look at two aspects to this:

• Make sure our options are configured right for HTTP/2
• Add the Action<SslThingyOptions> callback to KestrelSuperSpoopyOptions

Action<SslThingyOptions> change merged.

Need to experiment with the new CipherSuitesPolicy on SslServerAuthenticationOptions to see how to use it to meet the HTTP/2 spec requirements. It's unclear yet if that will be a sample, kestrel change, etc..

Notes:
https://github.com/dotnet/corefx/blob/025bb33e27b15d973e8be430a9329309ecac37d3/src/System.Net.Security/src/System/Net/Security/CipherSuitesPolicy.cs
https://github.com/dotnet/corefx/blob/025bb33e27b15d973e8be430a9329309ecac37d3/src/System.Net.Security/src/System/Net/Security/TlsCipherSuite.cs
TlsCipherSuite is an enum!
At least it's backed by well defined RFC values. You'd have to constantly update the list, but failing that you could always cast an int and it should work.

How do we enumerate available Ciphers on the machine (so we can filter out the ones prohibited by HTTP/2)? Is it sufficient to enumerate the enum values? You wouldn't get new ones without a runtime update.

CipherSuitesPolicy will filter out unsupported ones:
https://github.com/dotnet/corefx/blob/025bb33e27b15d973e8be430a9329309ecac37d3/src/System.Net.Security/src/System/Net/Security/CipherSuitesPolicyPal.Linux.cs#L57-L73

Powershell: Get-TlsCipherSuite

Nevermind, CipherSuitesPolicy isn't implemented on Windows, we can't enable anything by default.
https://github.com/dotnet/corefx/blob/025bb33e27b15d973e8be430a9329309ecac37d3/src/System.Net.Security/src/System/Net/Security/CipherSuitesPolicyPal.Windows.cs
https://github.com/dotnet/corefx/issues/24588#issuecomment-482764511

https://youtu.be/x5vbM3zB0_I?t=4321

Verified the new callback in SDK 3.0.100-preview6-012234.