fix: integrate mutual TLS scenario with underlying http.sys server by DeagleGross · Pull Request #2044 · aspnet/Benchmarks

DeagleGross · 2025-01-14T21:14:53Z

mTLS (mutual TLS) requires a separate setup from the server side. mTLS is valid, when clientCert is negotiated on the connection establishment, meaning when ASP.NET code calls context.Connection.ClientCertificate: it should be already available and there must not be any need to invoke context.Connection.GetClientCertificateAsync()

in case of Kestrel setup is extremely easy - just set a specific enum value:

options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
options.ClientCertificateValidation = AllowAnyCertificateValidationWithLogging;

however in case of HTTP.SYS the only option is to execute a netsh command netsh http add sslcert.

I have added a code in ASP.NET application, which on start binds the test certificate using netsh command, and then using an applicationLifetime ApplicationStopping callback it deletes the cert binding from the machine. It can be seem from the logs (below).

Basically the order is the following:

bind the test cert to http.sys with clientcertnegotiation=enable to enable client cert negotiation
optionally) netsh http show sslcert can show the ssl cert bindings on a machine. Important property is "Negotiate Client Certificate : Enabled"
execute the benchmark (in other words process the traffic). If verbose logging of cert validation is enabled, you should see message "client certificate (...) already exists on the connection", meaning that client cert negotiation happened on the connection establishment
in the end of the benchmark run during a graceful shutdown of an app a rollback of http.sys configuration will happen - we will execute netsh http delete sslcert

args: --urls https://10.0.0.110:5000 --mTLS true --certValidationConsoleEnabled true --statsEnabled false --tlsRenegotiation true --httpSysLogs true
Setting up mTLS for http.sys
Loaded testCert.pfx from local file system
Added testCert.pfx to localMachine cert store
Executing command: netsh http add sslcert ipport=10.0.0.110:5000 certstorename=MY certhash=6A283FAAA7FFFC129DF24CC0E7521186C7926219 appid={75e4f5b6-776f-448f-8a36-64e964bf2147} clientcertnegotiation=enable
Configured http.sys settings for mTLS
Registered client cert validation middleware
Executing command: netsh http show sslcert

SSL Certificate bindings:
IP:port                      : 10.0.0.110:5000
Certificate Hash             : 6a283faaa7fffc129df24cc0e7521186c7926219
Application ID               : {75e4f5b6-776f-448f-8a36-64e964bf2147}
Certificate Store Name       : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
**Negotiate Client Certificate : Enabled**
Reject Connections           : Disabled
Disable HTTP2                : Not Set
Disable QUIC                 : Not Set
Disable TLS1.2               : Not Set
Disable TLS1.3               : Not Set
Disable OCSP Stapling        : Not Set
Enable Token Binding         : Not Set
Log Extended Events          : Not Set
Disable Legacy TLS Versions  : Not Set
Enable Session Ticket        : Not Set
Application Info:
mTLS is enabled (client cert is required)
enabled logging certificate validation events to console
listening endpoints: https://10.0.0.110:5000
Application started.
client certificate (6A283FAAA7FFFC129DF24CC0E7521186C7926219) already exists on the connection -648518319766231673
client certificate (6A283FAAA7FFFC129DF24CC0E7521186C7926219) already exists on the connection -216172777013495157
client certificate (6A283FAAA7FFFC129DF24CC0E7521186C7926219) already exists on the connection -144115161500731759
client certificate (6A283FAAA7FFFC129DF24CC0E7521186C7926219) already exists on the connection -576460747203134805
client certificate (6A283FAAA7FFFC129DF24CC0E7521186C7926219) already exists on the connection -432345559127283053
...
...
...
Disabling mTLS for http.sys
Executing command: netsh http delete sslcert ipport=10.0.0.110:5000
Disabled http.sys settings for mTLS

BrennanConroy

Nice, I am slightly worried if netsh fails to delete the configuration and leaves the machine in a setup state.

src/BenchmarksApps/TLS/HttpSys/NetShWrapper.cs

src/BenchmarksApps/TLS/HttpSys/Program.cs

DeagleGross · 2025-01-15T11:10:12Z

Nice, I am slightly worried if netsh fails to delete the configuration and leaves the machine in a setup state.

I am as well. I am thinking about 2 approaches:

leave it as is relying on re-running benchmark again eventually on same machine, which will bring machine back to a proper setup. I need to make an additional verification check in the startup then
add the after-script to perform sslcert binding deletion.

i will try to do №2 a bit later today - it should be more robust

… other tests)

DeagleGross · 2025-01-15T20:26:33Z

decided to change the port to 8080 so that other tests are not impacted by http.sys configuration changes (if there would be) - just for safety.

DeagleGross added 12 commits January 14, 2025 13:36

init scripts

9d774bf

upd

5bb7a65

add http.sys setup

d7fdb1c

add debug info

86f2ec8

path to cert?

7adced1

add tlsRenegotiation param

deedf40

dont use scripts

546753b

pass tls renego param

efa9d8f

httpsys logs

6332df9

netsh wrap

12acd3e

adjust CI configs

5d64e38

minor

adbba73

DeagleGross requested review from BrennanConroy and adityamandaleeka January 14, 2025 21:14

DeagleGross self-assigned this Jan 14, 2025

BrennanConroy approved these changes Jan 15, 2025

View reviewed changes

src/BenchmarksApps/TLS/HttpSys/NetShWrapper.cs Outdated Show resolved Hide resolved

src/BenchmarksApps/TLS/HttpSys/Program.cs Outdated Show resolved Hide resolved

address PR comment

2f5437e

DeagleGross added 5 commits January 15, 2025 19:47

address PR comments + change port to high-value (no intersection with…

754adee

… other tests)

typo

fad2041

remove pragmas

2b5c4d9

sync client port and server port

1503f74

port 8080

c69e2ce

DeagleGross merged commit 55b23b5 into aspnet:main Jan 15, 2025
2 checks passed

DeagleGross deleted the dmkorolev/tls-httpsys-fixes branch January 15, 2025 20:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: integrate mutual TLS scenario with underlying http.sys server #2044

fix: integrate mutual TLS scenario with underlying http.sys server #2044
DeagleGross merged 18 commits intoaspnet:mainfrom
DeagleGross:dmkorolev/tls-httpsys-fixes

DeagleGross commented Jan 14, 2025

Uh oh!

BrennanConroy left a comment

Uh oh!

Uh oh!

Uh oh!

DeagleGross commented Jan 15, 2025

Uh oh!

DeagleGross commented Jan 15, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

DeagleGross commented Jan 14, 2025

SSL Certificate bindings:

Application Info:

Uh oh!

BrennanConroy left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

DeagleGross commented Jan 15, 2025

Uh oh!

DeagleGross commented Jan 15, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants