Merge branch 'aspnet:main' into main

Author: DeagleGross

build/trend-scenarios.yml

@@ -108,6 +108,9 @@ parameters:
   - displayName: "HttpSys Windows: mTLS Handshakes"
     arguments: --scenario mTls-handshakes-httpsys $(tlsJobs) --property scenario=HttpSysMutualTLSHandshakes --application.options.requiredOperatingSystem windows
 
+  - displayName: "HttpSys Windows: TLS Renegotiation"
+    arguments: --scenario tls-renegotiation-httpsys $(tlsJobs) --property scenario=HttpSysTLSRenegotiation --application.options.requiredOperatingSystem windows
+
   - displayName: "Kestrel Linux: TLS Handshakes"
     arguments: --scenario tls-handshakes-kestrel $(tlsJobs) --property scenario=KestrelTLSHandshakes --application.options.requiredOperatingSystem linux
 

scenarios/tls.benchmarks.yml

@@ -15,10 +15,12 @@ jobs:
       project: src/BenchmarksApps/TLS/HttpSys/HttpSys.csproj
     readyStateText: Application started.
     variables:
-      mTLS: false
+      mTLS: false # enables settings on http.sys to negotiate client cert on connections
+      tlsRenegotiation: false # enables client cert validation
       certValidationConsoleEnabled: false
+      httpSysLogs: false
       statsEnabled: false
-    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}}"
+    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --httpSysLogs {{httpSysLogs}}"
 
   kestrelServer:
     source:
@@ -52,7 +54,29 @@ scenarios:
     application:
       job: httpSysServer
       variables:
-        mTLS: true
+        mTLS: true # enables settings on http.sys to negotiate client cert on connections
+        tlsRenegotiation: true # enables client cert validation
+        httpSysLogs: false # only for debug purposes
+        certValidationConsoleEnabled: false # only for debug purposes
+        serverPort: 8080 # IMPORTANT: not to intersect with other tests in case http.sys configuration impacts other benchmarks
+    load:
+      job: httpclient
+      variables:
+        serverPort: 8080 # in sync with server
+        path: /hello-world
+        presetHeaders: connectionclose
+        connections: 32
+        serverScheme: https
+        certPath: https://raw.githubusercontent.com/aspnet/Benchmarks/refs/heads/main/src/BenchmarksApps/TLS/HttpSys/testCert.pfx
+        certPwd: testPassword
+
+  tls-renegotiation-httpsys:
+    application:
+      job: httpSysServer
+      variables:
+        mTLS: false
+        tlsRenegotiation: true
+        httpSysLogs: false # only for debug purposes
         certValidationConsoleEnabled: false # only for debug purposes
     load:
       job: httpclient

src/BenchmarksApps/Grpc/BasicGoServer/go.mod

@@ -8,8 +8,7 @@ require (
 )
 
 require (
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect

src/BenchmarksApps/Grpc/BasicGoServer/go.sum

@@ -1,14 +1,10 @@
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e h1:Elxv5MwEkCI9f5SkoL6afed6NTdxaGoAo39eANBwHL8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=

src/BenchmarksApps/Grpc/GoClient/go.mod

@@ -8,8 +8,7 @@ require (
 )
 
 require (
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect

src/BenchmarksApps/Grpc/GoClient/go.sum

@@ -1,15 +1,9 @@
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A=

src/BenchmarksApps/TLS/HttpSys/HttpSys.csproj

@@ -6,4 +6,10 @@
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 
+  <ItemGroup>
+    <None Update="testCert.pfx">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
 </Project>

src/BenchmarksApps/TLS/HttpSys/NetShWrapper.cs

@@ -0,0 +1,89 @@
+using System.Diagnostics;
+using System.Security.Cryptography.X509Certificates;
+
+namespace HttpSys
+{
+    public static class NetShWrapper
+    {
+        public static void DisableHttpSysMutualTlsIfExists(string ipPort)
+        {
+            try
+            {
+                DisableHttpSysMutualTls(ipPort);
+            }
+            catch
+            {
+                // ignore
+            }
+        }
+
+        public static void DisableHttpSysMutualTls(string ipPort)
+        {
+            Console.WriteLine("Disabling mTLS for http.sys");
+
+            string command = $"http delete sslcert ipport={ipPort}";
+            ExecuteNetShCommand(command);
+
+            Console.WriteLine("Disabled http.sys settings for mTLS");
+        }
+
+        public static void Show()
+        {
+            ExecuteNetShCommand("http show sslcert", alwaysLogOutput: true);
+        }
+
+        public static void EnableHttpSysMutualTls(string ipPort)
+        {
+            Console.WriteLine("Setting up mTLS for http.sys");
+
+            var certificate = LoadCertificate();
+            Console.WriteLine("Loaded `testCert.pfx` from local file system");
+            using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
+            {
+                store.Open(OpenFlags.ReadWrite);
+                store.Add(certificate);
+                Console.WriteLine("Added `testCert.pfx` to localMachine cert store");
+                store.Close();
+            }
+
+            string certThumbprint = certificate.Thumbprint;
+            string appId = Guid.NewGuid().ToString();
+
+            string command = $"http add sslcert ipport={ipPort} certstorename=MY certhash={certThumbprint} appid={{{appId}}} clientcertnegotiation=enable";
+            ExecuteNetShCommand(command);
+
+            Console.WriteLine("Configured http.sys settings for mTLS");
+        }
+
+        private static void ExecuteNetShCommand(string command, bool alwaysLogOutput = false)
+        {
+            ProcessStartInfo processInfo = new ProcessStartInfo("netsh", command)
+            {
+                RedirectStandardOutput = true,
+                RedirectStandardError = true,
+                UseShellExecute = false,
+                CreateNoWindow = true
+            };
+
+            Console.WriteLine($"Executing command: `netsh {command}`");
+            using Process process = Process.Start(processInfo)!;
+            string output = process.StandardOutput.ReadToEnd();
+            process.WaitForExit();
+
+            if (alwaysLogOutput)
+            {
+                Console.WriteLine(output);
+            }
+
+            if (process.ExitCode != 0)
+            {
+                throw new InvalidOperationException($"netsh command execution failure: {output}");
+            }
+        }
+
+        private static X509Certificate2 LoadCertificate()
+            => File.Exists("testCert.pfx")
+            ? X509CertificateLoader.LoadPkcs12FromFile("testCert.pfx", "testPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable)
+            : X509CertificateLoader.LoadPkcs12FromFile("../testCert.pfx", "testPassword", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
+    }
+}

src/BenchmarksApps/TLS/HttpSys/Program.cs

@@ -1,13 +1,16 @@
-using Microsoft.AspNetCore.Mvc;
+using HttpSys;
 using Microsoft.AspNetCore.Server.HttpSys;
 
 var builder = WebApplication.CreateBuilder(args);
 builder.Logging.ClearProviders();
 
 var writeCertValidationEventsToConsole = bool.TryParse(builder.Configuration["certValidationConsoleEnabled"], out var certValidationConsoleEnabled) && certValidationConsoleEnabled;
+var httpSysLoggingEnabled = bool.TryParse(builder.Configuration["httpSysLogs"], out var httpSysLogsEnabled) && httpSysLogsEnabled;
 var statsEnabled = bool.TryParse(builder.Configuration["statsEnabled"], out var connectionStatsEnabledConfig) && connectionStatsEnabledConfig;
 var mTlsEnabled = bool.TryParse(builder.Configuration["mTLS"], out var mTlsEnabledConfig) && mTlsEnabledConfig;
+var tlsRenegotiationEnabled = bool.TryParse(builder.Configuration["tlsRenegotiation"], out var tlsRenegotiationEnabledConfig) && tlsRenegotiationEnabledConfig;
 var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
+var httpsIpPort = listeningEndpoints.Split(";").First(x => x.Contains("https")).Replace("https://", "");
 
 #pragma warning disable CA1416 // Can be launched only on Windows (HttpSys)
 builder.WebHost.UseHttpSys(options =>
@@ -17,7 +20,7 @@
 });
 #pragma warning restore CA1416 // Can be launched only on Windows (HttpSys)
 
-var app = builder.Build();  
+var app = builder.Build();
 
 app.MapGet("/hello-world", () =>
 {
@@ -40,6 +43,40 @@
 }
 
 if (mTlsEnabled)
+{
+    var hostAppLifetime = app.Services.GetRequiredService<IHostApplicationLifetime>();
+    hostAppLifetime!.ApplicationStopping.Register(OnShutdown);
+
+    void OnShutdown()
+    {
+        Console.WriteLine("Application shutdown started.");
+
+        try
+        {
+            NetShWrapper.DisableHttpSysMutualTls(ipPort: httpsIpPort);
+        }
+        catch
+        {
+            Console.WriteLine("Failed to disable HTTP.SYS mTLS settings");
+            throw;
+        }
+    }
+
+    try
+    {
+        // if not executed, following command (enable http.sys mutual tls) will fail because binding exists
+        NetShWrapper.DisableHttpSysMutualTlsIfExists(ipPort: httpsIpPort);
+
+        NetShWrapper.EnableHttpSysMutualTls(ipPort: httpsIpPort);
+    }
+    catch
+    {
+        Console.WriteLine($"Http.Sys configuration for mTLS failed");
+        throw;
+    }
+}
+
+if (tlsRenegotiationEnabled)
 {
     // this is an http.sys middleware to get a cert
     Console.WriteLine("Registered client cert validation middleware");
@@ -72,6 +109,12 @@
 }
 
 await app.StartAsync();
+
+if (httpSysLoggingEnabled)
+{
+    NetShWrapper.Show();
+}
+
 Console.WriteLine("Application Info:");
 if (mTlsEnabled)
 {

src/BenchmarksApps/TLS/HttpSys/appsettings.Development.json

@@ -5,6 +5,8 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "mTLS": "true",
+  "mTLS": "false",
+  "httpSysLogs": "true",
+  "tlsRenegotiation": "true",
   "certValidationConsoleEnabled": "true"
 }