What is the equivalent to this in 2.0?
whb.UseKestrel(options =>
{
var httpsOptions = new HttpsConnectionFilterOptions();
httpsOptions.ServerCertificate = certificate;
httpsOptions.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
httpsOptions.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
options.UseHttps(httpsOptions);
})
The functional tests use a constructor that is marked internal so I can't use it.
Is this the correct code for 2.0?
whb.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(new IPEndPoint(IPAddress.Loopback, 4430), listenOptions =>
{
var httpsConnectionAdapterOptions = new HttpsConnectionAdapterOptions()
{
ClientCertificateMode = ClientCertificateMode.AllowCertificate,
SslProtocols = System.Security.Authentication.SslProtocols.Tls,
ServerCertificate = certificate
};
listenOptions.UseHttps(httpsConnectionAdapterOptions);
});
})
@xavierjohn The code in your second comment looks correct. aspnet/Announcements#212 goes into more detail about the breaking change.
Thanks.
Pretty big change... felt like I had to rewrite my Certificate Base Auth middleware
https://github.com/xavierjohn/ClientCertificateMiddleware/pull/1/files
The code changes in that PR look mostly related to the auth changes. Btw that's a nice auth handler. I wonder if it should be in the box (or something like it)
I think it should be in the box. Most of the services in Microsoft uses Certificate based AuthZ to talk to other services.
@xavierjohn Can you file an feature request on https://github.com/aspnet/Security
There is this request https://github.com/aspnet/Security/issues/1118
@halter73 @davidfowl
Is there any additional actions required to make it work with IIS?
After migrating to 2.0 cert selection window does not show up when running behind IIS.
My configuration
var host = new WebHostBuilder()
.UseKestrel(options =>
{
options.Listen(new IPEndPoint(IPAddress.Loopback, 443), listenOptions =>
{
var certOPtions = new HttpsConnectionAdapterOptions()
{
ClientCertificateMode = ClientCertificateMode.AllowCertificate,
CheckCertificateRevocation = false,
ClientCertificateValidation = (certificate2, chain, arg3) => true,
ServerCertificate = cert
};
listenOptions.UseHttps(certOPtions);
});
})
.UseContentRoot(Directory.GetCurrentDirectory())
.UseSetting("detailedErrors", "true")
.UseIISIntegration()
.UseUrls("https://*:443")
.UseStartup<Startup>()
.CaptureStartupErrors(true)
.Build();
host.Run();
None of the HttpsConnectionAdapterOptions settings apply when using IIS (this is not new for 2.0). IIS terminates the tls connection and forwards the request to Kestrel using http. You'll need to configure the client cert settings in IIS. IIS/ANCM will also forward the cert.
@Tratcher
Indeed, after switching ClientCertificates: Accept cert dialog windows shown up.
But now i'm a little bit confused because i've never touched this settings before and it was all good on 1.1.2 all the time.
I reverted the changes back to 1.1.2, set ClientCertificates: Ignore and published the project: no cert dialog. Tried to reproduce all the steps that I performed long time ago twice: no luck. So probably there was some local issue with my IIS that forwarded client cert despite of SSL Settings.
Thank for your help!
@Tratcher Am I right saying that UseHttps only needed when running as self-hosted app?
Update
Please disregard my last comment. Just tried by commenting out kestrel configuration code and published locally \ on azure - all good
Yes, UseHttps is only for self host.