pre-configure properly!

Author: DeagleGross

src/BenchmarksApps/TLS/HttpSys/NetShWrapper.cs renamed to src/BenchmarksApps/TLS/HttpSys/NetSh/NetShWrapper.cs

@@ -1,9 +1,8 @@
 using System.Diagnostics;
 using System.Security.Cryptography.X509Certificates;
 using System.Text.RegularExpressions;
-using HttpSys.NetSh;
 
-namespace HttpSys
+namespace HttpSys.NetSh
 {
     public class NetShWrapper
     {
@@ -41,17 +40,17 @@ public void DeleteBindingIfExists(string ipPort)
             {
                 DeleteBinding(ipPort);
             }
-            catch
+            catch (Exception ex)
             {
-                // ignore
+                Console.WriteLine($"Failed to delete binding on port {ipPort}: " + ex);
             }
         }
 
         public void DeleteBinding(string ipPort)
         {
             Console.WriteLine("Disabling mTLS for http.sys");
 
-            string command = $"http delete sslcert ipport={ipPort}";
+            var command = $"http delete sslcert ipport={ipPort}";
             ExecuteNetShCommand(command);
 
             Console.WriteLine("Disabled http.sys settings for mTLS");
@@ -168,23 +167,23 @@ public void SetTestCertBinding(string ipPort, bool enableClientCertNegotiation)
                 store.Close();
             }
 
-            string certThumbprint = certificate.Thumbprint;
+            var certThumbprint = certificate.Thumbprint;
             AddCertBinding(ipPort, certThumbprint, clientCertNegotiation: enableClientCertNegotiation ? NetShFlag.Enable : NetShFlag.Disabled);
 
             Console.WriteLine("Configured binding for testCert for http.sys");
         }
 
-        public bool TrySelfSignCertificate(string ipPort, out string certThumbprint)
+        public bool TrySelfSignCertificate(string ipPort, int certPublicKeyLength, out string certThumbprint)
         {
             certThumbprint = string.Empty;
             try
             {
                 // Extract the IP address from ipPort
-                string ipAddress = ipPort.Split(':')[0];
+                var ipAddress = ipPort.Split(':')[0];
 
                 // Generate a self-signed certificate using PowerShell
-                string command = $"New-SelfSignedCertificate -CertStoreLocation cert:\\LocalMachine\\My -DnsName {ipAddress}";
-                string output = ExecutePowershellCommand(command);
+                var command = $"New-SelfSignedCertificate -CertStoreLocation cert:\\LocalMachine\\My -DnsName {ipAddress} -KeyAlgorithm RSA -KeyLength {certPublicKeyLength}";
+                var output = ExecutePowershellCommand(command);
 
                 // Extract the thumbprint from the output
                 var lines = output.Split("\r\n", StringSplitOptions.RemoveEmptyEntries);
@@ -241,7 +240,7 @@ private void CertBindingCore(
             var clientcertnegotiationFlag = GetFlagValue(clientcertnegotiation);
             var disablesessionidFlag = GetFlagValue(disablesessionid);
             var enablesessionticketFlag = GetFlagValue(enablesessionticket);
-            string command = $"http {httpOperation} sslcert ipport={ipPort} certstorename=MY certhash={certThumbprint} appid={{{appId}}}";
+            var command = $"http {httpOperation} sslcert ipport={ipPort} certstorename=MY certhash={certThumbprint} appid={{{appId}}}";
 
             if (clientcertnegotiationFlag != null)
             {
@@ -280,7 +279,7 @@ private static string ExecuteNetShCommand(string command, bool ignoreErrorExit =
 
         private static string ExecuteCommand(string fileName, string command, bool ignoreErrorExit = false, bool logOutput = false)
         {
-            ProcessStartInfo processInfo = new ProcessStartInfo(fileName, command)
+            var processInfo = new ProcessStartInfo(fileName, command)
             {
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
@@ -289,8 +288,8 @@ private static string ExecuteCommand(string fileName, string command, bool ignor
             };
 
             Console.WriteLine($"Executing command: `{fileName} {command}`");
-            using Process process = Process.Start(processInfo)!;
-            string output = process.StandardOutput.ReadToEnd();
+            using var process = Process.Start(processInfo)!;
+            var output = process.StandardOutput.ReadToEnd();
             process.WaitForExit();
 
             if (logOutput)

src/BenchmarksApps/TLS/HttpSys/NetSh/NetshConfigurator.cs

@@ -0,0 +1,58 @@
+namespace HttpSys.NetSh
+{
+    public static class NetshConfigurator
+    {
+        private static readonly NetShWrapper _netshWrapper = new();
+        private static string _certThumbprint;
+
+        public static SslCertBinding PreConfigureNetsh(
+            string httpsIpPort,
+            int certPublicKeyLength = 2048,
+            NetShFlag clientCertNegotiation = NetShFlag.Disabled,
+            NetShFlag disablesessionid = NetShFlag.Enable,
+            NetShFlag enableSessionTicket = NetShFlag.Disabled)
+        {
+            // we will anyway reconfigure the netsh certificate binding, so we can delete it firstly
+            _netshWrapper.DeleteBindingIfExists(httpsIpPort);
+
+            if (_netshWrapper.TryGetSslCertBinding(httpsIpPort, out var sslCertBinding))
+            {
+                throw new NetshException($"Binding already exists ({httpsIpPort}). It was unable to be deleted, and run can not proceed without proper configuration. SslCertBinding: " + sslCertBinding);
+            }
+
+            if (!_netshWrapper.TrySelfSignCertificate(httpsIpPort, certPublicKeyLength, out _certThumbprint))
+            {
+                throw new ApplicationException($"Failed to setup ssl binding for '{httpsIpPort}'. Please unblock the VM.");
+            }
+
+            _netshWrapper.AddCertBinding(
+                httpsIpPort,
+                _certThumbprint,
+                disablesessionid: disablesessionid,
+                enablesessionticket: enableSessionTicket,
+                clientCertNegotiation: clientCertNegotiation);
+
+            if (!_netshWrapper.TryGetSslCertBinding(httpsIpPort, out sslCertBinding))
+            {
+                throw new NetshException($"Failed to setup ssl binding for '{httpsIpPort}'. Please unblock the VM.");
+            }
+
+            return sslCertBinding;
+        }
+
+        public static void LogCurrentSslCertBinding(string httpsIpPort) => _netshWrapper.LogSslCertBinding(httpsIpPort);
+
+        public static void ResetNetshConfiguration(
+            string httpsIpPort,
+            int certPublicKeyLength = 4096)
+        {
+            _netshWrapper.DeleteBindingIfExists(httpsIpPort);
+            _netshWrapper.AddCertBinding(
+                httpsIpPort,
+                _certThumbprint,
+                disablesessionid: NetShFlag.NotSet,
+                enablesessionticket: NetShFlag.NotSet,
+                clientCertNegotiation: NetShFlag.NotSet);
+        }
+    }
+}

src/BenchmarksApps/TLS/HttpSys/NetSh/NetshException.cs

@@ -0,0 +1,18 @@
+namespace HttpSys.NetSh
+{
+    public class NetshException : Exception
+    {
+        public NetshException(string message) : base(message)
+        {
+        }
+        public NetshException(string message, Exception innerException) : base(message, innerException)
+        {
+        }
+        public NetshException(string message, string command) : base($"{message} Command: {command}")
+        {
+        }
+        public NetshException(string message, string command, Exception innerException) : base($"{message} Command: {command}", innerException)
+        {
+        }
+    }
+}

src/BenchmarksApps/TLS/HttpSys/Program.cs

@@ -10,6 +10,8 @@
 // behavioral
 var mTlsEnabled = bool.TryParse(builder.Configuration["mTLS"], out var mTlsEnabledConfig) && mTlsEnabledConfig;
 var tlsRenegotiationEnabled = bool.TryParse(builder.Configuration["tlsRenegotiation"], out var tlsRenegotiationEnabledConfig) && tlsRenegotiationEnabledConfig;
+var certPublicKeySpecified = int.TryParse(builder.Configuration["certPublicKeyLength"], out var certPublicKeyConfig);
+var certPublicKeyLength = certPublicKeySpecified ? certPublicKeyConfig : 2048;
 var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
 var httpsIpPort = listeningEndpoints.Split(";").First(x => x.Contains("https")).Replace("https://", "");
 
@@ -18,45 +20,12 @@
 var statsEnabled = bool.TryParse(builder.Configuration["statsEnabled"], out var connectionStatsEnabledConfig) && connectionStatsEnabledConfig;
 var logRequestDetails = bool.TryParse(builder.Configuration["logRequestDetails"], out var logRequestDetailsConfig) && logRequestDetailsConfig;
 
-var mTLSNetShFlag = mTlsEnabled ? NetShFlag.Enable : NetShFlag.Disabled;
-
-var netshWrapper = new NetShWrapper();
-
-// verify there is an netsh http sslcert binding for specified ip:port
-if (!netshWrapper.TryGetSslCertBinding(httpsIpPort, out var sslCertBinding))
-{
-    Console.WriteLine($"No binding existed. Need to self-sign it and bind to '{httpsIpPort}'");
-    if (!netshWrapper.TrySelfSignCertificate(httpsIpPort, out var originalCertThumbprint))
-    {
-        throw new ApplicationException($"Failed to setup ssl binding for '{httpsIpPort}'. Please unblock the VM.");
-    }
-    netshWrapper.AddCertBinding(
-        httpsIpPort,
-        originalCertThumbprint,
-        disablesessionid: NetShFlag.Enable,
-        enablesessionticket: NetShFlag.Disabled,
-        clientCertNegotiation: mTLSNetShFlag);
-}
-
-Console.WriteLine("Current netsh ssl certificate binding: \n" + sslCertBinding);
-
-if (
-    // those flags can be set only on later versions of HTTP.SYS; so only considering mTLS here
-    (netshWrapper.SupportsDisableSessionId && sslCertBinding.DisableSessionIdTlsResumption != NetShFlag.Enable)
-    || (netshWrapper.SupportsEnableSessionTicket && (sslCertBinding.EnableSessionTicketTlsResumption == NetShFlag.Enable))
-    || sslCertBinding.NegotiateClientCertificate != mTLSNetShFlag)
-{
-    Console.WriteLine($"Need to prepare ssl-cert binding for the run.");
-    Console.WriteLine($"Expected configuration: mTLS={mTLSNetShFlag}; disableSessionId={NetShFlag.Enable}; enableSessionTicket={NetShFlag.Disabled}");
-
-    netshWrapper.UpdateCertBinding(
-        httpsIpPort,
-        sslCertBinding.CertificateThumbprint,
-        appId: sslCertBinding.ApplicationId,
-        disablesessionid: NetShFlag.Enable,
-        enablesessionticket: NetShFlag.Disabled,
-        clientCertNegotiation: mTLSNetShFlag);
-}
+var sslCertConfiguration = NetshConfigurator.PreConfigureNetsh(
+    httpsIpPort,
+    certPublicKeyLength: certPublicKeyLength,
+    clientCertNegotiation: mTlsEnabled ? NetShFlag.Enable : NetShFlag.Disabled,
+    disablesessionid: NetShFlag.Enable,
+    enableSessionTicket: NetShFlag.Disabled);
 
 #pragma warning disable CA1416 // Can be launched only on Windows (HttpSys)
 builder.WebHost.UseHttpSys(options =>
@@ -143,7 +112,7 @@
 
 await app.StartAsync();
 
-netshWrapper.LogSslCertBinding(httpsIpPort);
+NetshConfigurator.LogCurrentSslCertBinding(httpsIpPort);
 
 Console.WriteLine("Application Info:");
 if (mTlsEnabled)
@@ -165,11 +134,6 @@
 await app.WaitForShutdownAsync();
 Console.WriteLine("Application stopped.");
 
-if (netshWrapper.TryGetSslCertBinding(httpsIpPort, out sslCertBinding) && mTLSNetShFlag == NetShFlag.Enable)
-{
-    // update the sslCert binding to disable "negotiate client cert" (aka mTLS) to not break other tests.
-    Console.WriteLine($"Rolling back mTLS setting for sslCert binding at '{httpsIpPort}'");
-
-    sslCertBinding.NegotiateClientCertificate = NetShFlag.Disabled;
-    netshWrapper.UpdateCertBinding(httpsIpPort, sslCertBinding);
-}
+Console.WriteLine("Starting netsh rollback configuration...");
+NetshConfigurator.ResetNetshConfiguration(httpsIpPort, certPublicKeyLength: 4096); // a default value
+Console.WriteLine($"Reset netsh (ipport={httpsIpPort}) completed.");