kestrel

Author: DeagleGross

scenarios/tls.benchmarks.yml

@@ -20,7 +20,8 @@ jobs:
       certValidationConsoleEnabled: false
       httpSysLogs: false
       statsEnabled: false
-    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --httpSysLogs {{httpSysLogs}}"
+      tlsProtocols: "tls12"
+    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --httpSysLogs {{httpSysLogs}} --tlsProtocols {{tlsProtocols}}"
 
   kestrelServer:
     source:
@@ -33,7 +34,8 @@ jobs:
       tlsRenegotiation: false
       certValidationConsoleEnabled: false
       statsEnabled: false
-    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}}"
+      tlsProtocols: "tls12"
+    arguments: "--urls https://{{serverAddress}}:{{serverPort}} --mTLS {{mTLS}} --certValidationConsoleEnabled {{certValidationConsoleEnabled}} --statsEnabled {{statsEnabled}} --tlsRenegotiation {{tlsRenegotiation}} --tlsProtocols {{tlsProtocols}}"
 
 scenarios:
 

src/BenchmarksApps/TLS/Kestrel/Program.cs

@@ -1,7 +1,7 @@
 using System.Net;
 using System.Net.Security;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
-using Microsoft.AspNetCore.Authentication.Certificate;
 using Microsoft.AspNetCore.Server.HttpSys;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
@@ -14,6 +14,7 @@
 var tlsRenegotiationEnabled = bool.TryParse(builder.Configuration["tlsRenegotiation"], out var tlsRenegotiationEnabledConfig) && tlsRenegotiationEnabledConfig;
 var statsEnabled = bool.TryParse(builder.Configuration["statsEnabled"], out var connectionStatsEnabledConfig) && connectionStatsEnabledConfig;
 var listeningEndpoints = builder.Configuration["urls"] ?? "https://localhost:5000/";
+var supportedTlsVersions = ParseSslProtocols(builder.Configuration["tlsProtocols"]);
 
 if (mTlsEnabled && tlsRenegotiationEnabled)
 {
@@ -40,6 +41,8 @@ void ConfigureListen(KestrelServerOptions serverOptions, IConfigurationRoot conf
             // [SuppressMessage("Microsoft.Security", "CSCAN0220.DefaultPasswordContexts", Justification="Benchmark code, not a secret")]
             listenOptions.UseHttps("testCert.pfx", "testPassword", options =>
             {
+                options.SslProtocols = supportedTlsVersions;
+
                 if (mTlsEnabled)
                 {
                     options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
@@ -137,6 +140,7 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509
 {
     Console.WriteLine($"\tenabled logging stats to console");
 }
+Console.WriteLine($"\tsupported TLS versions: {supportedTlsVersions}");
 Console.WriteLine($"\tlistening endpoints: {listeningEndpoints}");
 Console.WriteLine("--------------------------------");
 
@@ -157,4 +161,36 @@ static IPEndPoint CreateIPEndPoint(UrlPrefix urlPrefix)
     }
 
     return new IPEndPoint(ip, urlPrefix.PortValue);
+}
+
+static SslProtocols ParseSslProtocols(string? supportedTlsVersions)
+{
+    var protocols = SslProtocols.Tls12; // default it TLS 1.2
+    if (string.IsNullOrEmpty(supportedTlsVersions))
+    {
+        return protocols;
+    }
+
+    protocols = SslProtocols.None;
+    foreach (var version in supportedTlsVersions.Split(','))
+    {
+        switch (version.Trim().ToLower())
+        {
+#pragma warning disable SYSLIB0039 // Type or member is obsolete
+            case "tls11":
+                protocols |= SslProtocols.Tls11;
+                break;
+#pragma warning restore SYSLIB0039 // Type or member is obsolete
+            case "tls12":
+                protocols |= SslProtocols.Tls12;
+                break;
+            case "tls13":
+                protocols |= SslProtocols.Tls13;
+                break;
+            default:
+                throw new ArgumentException($"Unsupported TLS version: {version}");
+        }
+    }
+
+    return protocols;
 }