feat: tls jobs comparing http.sys win vs kestrel linux (#2037)

Author: DeagleGross

build/job-variables.yml

@@ -65,6 +65,8 @@ variables:
   value: --config https://raw.githubusercontent.com/aspnet/Benchmarks/main/scenarios/json.benchmarks.yml
 - name: antiforgeryJobs
   value: --config https://raw.githubusercontent.com/aspnet/Benchmarks/main/scenarios/antiforgery.benchmarks.yml  
+- name: tlsJobs
+  value: --config https://raw.githubusercontent.com/aspnet/Benchmarks/main/scenarios/tls.benchmarks.yml  
 - name: goldilocksJobs
   value: --config https://raw.githubusercontent.com/aspnet/Benchmarks/main/scenarios/goldilocks.benchmarks.yml
 - name: monoJobs

build/trend-scenarios.yml

@@ -100,6 +100,23 @@ parameters:
   - displayName: Antiforgery Token Generation
     arguments: --scenario antiforgery-generation $(antiforgeryJobs) --property scenario=AntiforgeryTokenGeneration
 
+# TLS
+
+  - displayName: "HttpSys Windows: TLS Handshakes"
+    arguments: --scenario tls-handshakes-httpsys $(tlsJobs) --property scenario=HttpSysTLSHandshakes --application.options.requiredOperatingSystem windows
+
+  - displayName: "HttpSys Windows: mTLS Handshakes"
+    arguments: --scenario mTls-handshakes-httpsys $(tlsJobs) --property scenario=HttpSysMutualTLSHandshakes --application.options.requiredOperatingSystem windows
+
+  - displayName: "Kestrel Linux: TLS Handshakes"
+    arguments: --scenario tls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelTLSHandshakes --application.options.requiredOperatingSystem linux
+    
+  - displayName: "Kestrel Linux: mTLS Handshakes"
+    arguments: --scenario mTls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelMutualTLSHandshakes --application.options.requiredOperatingSystem linux
+
+  - displayName: "Kestrel Linux: TLS Renegotiation"
+    arguments: --scenario tls-renegotiation-kestrel $(tlsJobs) --property scenario=KestrelTLSRenegotiation --application.options.requiredOperatingSystem linux
+
 steps:
 - ${{ each s in parameters.scenarios }}:
   - task: PublishToAzureServiceBus@2

scenarios/tls.benchmarks.yml

@@ -0,0 +1,111 @@
+imports:
+  - https://raw.githubusercontent.com/dotnet/crank/main/src/Microsoft.Crank.Jobs.Wrk/wrk.yml
+  - https://raw.githubusercontent.com/dotnet/crank/main/src/Microsoft.Crank.Jobs.Bombardier/bombardier.yml
+  - https://raw.githubusercontent.com/dotnet/crank/main/src/Microsoft.Crank.Jobs.HttpClient/httpclient.yml
+  - https://github.com/aspnet/Benchmarks/blob/main/scenarios/aspnet.profiles.yml?raw=true
+
+variables:
+  serverPort: 5000
+
+jobs:
+  httpSysServer:
+    source:
+      repository: https://github.com/aspnet/benchmarks.git
+      branchOrCommit: main
+      project: src/BenchmarksApps/TLS/HttpSys/HttpSys.csproj
+    readyStateText: Application started.
+    variables:
+      mTLS: false
+      certValidationConsoleEnabled: false
+      statsEnabled: false
+    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}}"
+
+  kestrelServer:
+    source:
+      repository: https://github.com/aspnet/benchmarks.git
+      branchOrCommit: main
+      project: src/BenchmarksApps/TLS/Kestrel/Kestrel.csproj
+    readyStateText: Application started.
+    variables:
+      mTLS: false
+      tlsRenegotiation: false
+      certValidationConsoleEnabled: false
+      statsEnabled: false
+    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}}"
+
+scenarios:
+
+# HTTP.SYS
+
+  tls-handshakes-httpsys:
+    application:
+      job: httpSysServer
+    load:
+      job: wrk
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+
+  mTls-handshakes-httpsys:
+    application:
+      job: httpSysServer
+      variables:
+        mTLS: true
+        certValidationConsoleEnabled: false # only for debug purposes
+    load:
+      job: httpclient
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        certPath: https://raw.githubusercontent.com/aspnet/Benchmarks/refs/heads/main/src/BenchmarksApps/TLS/HttpSys/testCert.pfx
+        certPwd: testPassword
+
+# Kestrel
+  
+  tls-handshakes-kestrel:
+    application:
+      job: kestrelServer
+    load:
+      job: wrk
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+
+  mTls-handshakes-kestrel:
+    application:
+      job: kestrelServer
+      variables:
+        mTLS: true
+        certValidationConsoleEnabled: false # only for debug purposes
+    load:
+      job: httpclient
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        certPath: https://raw.githubusercontent.com/aspnet/Benchmarks/refs/heads/main/src/BenchmarksApps/TLS/Kestrel/testCert.pfx
+        certPwd: testPassword
+
+  tls-renegotiation-kestrel:
+    application:
+      job: kestrelServer
+      variables:
+        mTLS: false
+        tlsRenegotiation: true
+        certValidationConsoleEnabled: false # only for debug purposes
+    load:
+      job: httpclient
+      variables:
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        certPath: https://raw.githubusercontent.com/aspnet/Benchmarks/refs/heads/main/src/BenchmarksApps/TLS/Kestrel/testCert.pfx
+        certPwd: testPassword

src/BenchmarksApps.sln

@@ -66,6 +66,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Json", "BenchmarksApps\Json
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Antiforgery", "BenchmarksApps\Antiforgery\Antiforgery.csproj", "{38AEFB02-3AE4-4E01-8FF9-FF09797C5853}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "TLS", "TLS", "{02EA681E-C7D8-13C7-8484-4AC65E1B71E8}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpSys", "BenchmarksApps\TLS\HttpSys\HttpSys.csproj", "{455942DF-6C8E-4054-AF1D-41A10BE1466F}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Kestrel", "BenchmarksApps\TLS\Kestrel\Kestrel.csproj", "{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug_Database|Any CPU = Debug_Database|Any CPU
@@ -258,6 +264,22 @@ Global
 		{38AEFB02-3AE4-4E01-8FF9-FF09797C5853}.Release_Database|Any CPU.Build.0 = Release_Database|Any CPU
 		{38AEFB02-3AE4-4E01-8FF9-FF09797C5853}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{38AEFB02-3AE4-4E01-8FF9-FF09797C5853}.Release|Any CPU.Build.0 = Release|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Debug_Database|Any CPU.ActiveCfg = Debug_Database|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Debug_Database|Any CPU.Build.0 = Debug_Database|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Release_Database|Any CPU.ActiveCfg = Release_Database|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Release_Database|Any CPU.Build.0 = Release_Database|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Debug_Database|Any CPU.ActiveCfg = Debug_Database|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Debug_Database|Any CPU.Build.0 = Debug_Database|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Release_Database|Any CPU.ActiveCfg = Release_Database|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Release_Database|Any CPU.Build.0 = Release_Database|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -273,6 +295,8 @@ Global
 		{3D2573DE-CE7A-4CB8-A980-8C8636EE059E} = {398A40DA-FE1D-4B4D-A580-A33E29885553}
 		{31B61CD7-4CF6-464F-B418-04C700A17CB9} = {6A69DE6C-07A6-4ABE-A4D2-0F983A33BBF8}
 		{D6616E03-A2DA-4929-AD28-595ECC4C004D} = {B6DB234C-8F80-4160-B95D-D70AFC444A3D}
+		{455942DF-6C8E-4054-AF1D-41A10BE1466F} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
+		{291DCDF7-4B7C-D687-A62B-9DF7DF50F2F2} = {02EA681E-C7D8-13C7-8484-4AC65E1B71E8}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {117072DC-DE12-4F74-90CA-692FA2BE8DCB}

src/BenchmarksApps/TLS/HttpSys/HttpSys.csproj

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+</Project>

src/BenchmarksApps/TLS/HttpSys/HttpSys.http

@@ -0,0 +1,10 @@
+@HttpSys_HostAddress_Http = http://localhost:5001
+@HttpSys_HostAddress_Https = https://localhost:5000
+
+GET {{HttpSys_HostAddress_Https}}/hello-world
+
+###
+
+GET {{HttpSys_HostAddress_Http}}/hello-world  
+
+###

src/BenchmarksApps/TLS/HttpSys/Program.cs

@@ -0,0 +1,92 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Server.HttpSys;
+
+var builder = WebApplication.CreateBuilder(args);
+builder.Logging.ClearProviders();
+
+var writeCertValidationEventsToConsole = bool.TryParse(builder.Configuration["certValidationConsoleEnabled"], out var certValidationConsoleEnabled) && certValidationConsoleEnabled;
+var statsEnabled = bool.TryParse(builder.Configuration["statsEnabled"], out var connectionStatsEnabledConfig) && connectionStatsEnabledConfig;
+var mTlsEnabled = bool.TryParse(builder.Configuration["mTLS"], out var mTlsEnabledConfig) && mTlsEnabledConfig;
+var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
+
+#pragma warning disable CA1416 // Can be launched only on Windows (HttpSys)
+builder.WebHost.UseHttpSys(options =>
+{
+    // meaning client can send a certificate, but it can be explicitly requested by server as well (renegotiation)
+    options.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation;
+});
+#pragma warning restore CA1416 // Can be launched only on Windows (HttpSys)
+
+var app = builder.Build();  
+
+app.MapGet("/hello-world", () =>
+{
+    return Results.Ok("Hello World!");
+});
+
+var connectionIds = new HashSet<string>();
+var fetchedCertsCounter = 0;
+
+if (statsEnabled)
+{
+    Console.WriteLine("Registered stats middleware");
+    app.Use(async (context, next) =>
+    {
+        connectionIds.Add(context.Connection.Id);
+        Console.WriteLine($"[stats] unique connections established: {connectionIds.Count}; fetched certificates: {fetchedCertsCounter}");
+
+        await next();
+    });
+}
+
+if (mTlsEnabled)
+{
+    // this is an http.sys middleware to get a cert
+    Console.WriteLine("Registered client cert validation middleware");
+
+    app.Use(async (context, next) => {
+        var clientCert = context.Connection.ClientCertificate;
+        if (clientCert is null)
+        {
+            if (writeCertValidationEventsToConsole)
+            {
+                Console.WriteLine($"No client certificate provided. Fetching for connection {context.Connection.Id}");
+            }
+
+            clientCert = await context.Connection.GetClientCertificateAsync(CancellationToken.None);
+            Interlocked.Increment(ref fetchedCertsCounter);
+        }
+        else
+        {
+            if (writeCertValidationEventsToConsole)
+            {
+                Console.WriteLine($"client certificate ({clientCert.Thumbprint}) already exists on the connection {context.Connection.Id}");
+            }
+        }
+
+        // we have a client cert here, and lets imagine we do the validation here
+        // if (clientCert.Thumbprint != "1234567890") throw new NotImplementedException();
+
+        await next();
+    });
+}
+
+await app.StartAsync();
+Console.WriteLine("Application Info:");
+if (mTlsEnabled)
+{
+    Console.WriteLine($"\tmTLS is enabled (client cert is required)");
+}
+if (writeCertValidationEventsToConsole)
+{
+    Console.WriteLine($"\tenabled logging certificate validation events to console");
+}
+if (statsEnabled)
+{
+    Console.WriteLine($"\tenabled logging stats to console");
+}
+Console.WriteLine($"\tlistening endpoints: {listeningEndpoints}");
+Console.WriteLine("--------------------------------");
+
+Console.WriteLine("Application started.");
+await app.WaitForShutdownAsync();

src/BenchmarksApps/TLS/HttpSys/Properties/launchSettings.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "http://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "launchUrl": "hello-world",
+      "applicationUrl": "https://localhost:5000;http://localhost:5001",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

src/BenchmarksApps/TLS/HttpSys/appsettings.Development.json

@@ -0,0 +1,10 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "mTLS": "true",
+  "certValidationConsoleEnabled": "true"
+}

src/BenchmarksApps/TLS/HttpSys/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}