Defer search for dev cert until build bind time (#46296)

amcasey · web-flow · commit 303115ab4101 · 2023-02-22T10:43:58.000-08:00
* Remove uncalled method * Defer search for dev cert until build bind time ...so that it can occur after `IConfiguration` is read. (In particular, so that it occurs during `AddressBinder.BindAsync` which happens strictly after `KestrelConfigurationLoader.Load`.) This is important in Docker scenarios since the Docker tools use `IConfiguration` to tell us where the dev cert directory is mounted. Fixes #45801 * Add regression tests * Call ListenOptions.Build in existing tests * Set IsTls eagerly for HTTP/3 scenarios * Store the lazy HttpsConnectionAdapterOptions somewhere accessible to TransportManager * Tidy up ListenOptions.Build calls in tests * Set HttpsConnectionAdapterOptions.Protocols outside middleware that may not be called * Ensure tests asserting in UseHttps trigger evaluation * Use Single rather than Assert.All * Fix incorrect Single call * Add dev cert test for HTTP/3 * Don't store HttpProtocols on HttpsConnectionAdapterOptions
diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -72,12 +72,6 @@ public HttpsConnectionAdapterOptions()
     /// </summary>
     public SslProtocols SslProtocols { get; set; }
 
-    /// <summary>
-    /// The protocols enabled on this endpoint.
-    /// </summary>
-    /// <remarks>Defaults to HTTP/1.x only.</remarks>
-    internal HttpProtocols HttpProtocols { get; set; }
-
     /// <summary>
     /// Specifies whether the certificate revocation list is checked during authentication.
     /// </summary>
diff --git a/src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs b/src/Servers/Kestrel/Core/src/Internal/Infrastructure/TransportManager.cs
@@ -77,7 +77,7 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe
         // The QUIC transport will check if TlsConnectionCallbackOptions is missing.
         if (listenOptions.HttpsOptions != null)
         {
-            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions);
+            var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions.Value);
             features.Set(new TlsConnectionCallbackOptions
             {
                 ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols ?? new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },
diff --git a/src/Servers/Kestrel/Core/src/ListenOptions.cs b/src/Servers/Kestrel/Core/src/ListenOptions.cs
@@ -140,7 +140,8 @@ internal string Scheme
     }
 
     internal bool IsTls { get; set; }
-    internal HttpsConnectionAdapterOptions? HttpsOptions { get; set; }
+    /// <remarks>Should not be inspected until the configuration has been loaded.</remarks>
+    internal Lazy<HttpsConnectionAdapterOptions>? HttpsOptions { get; set; }
     internal TlsHandshakeCallbackOptions? HttpsCallbackOptions { get; set; }
 
     /// <summary>
diff --git a/src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs b/src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs
@@ -163,33 +163,24 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, Action<Ht
     {
         ArgumentNullException.ThrowIfNull(configureOptions);
 
-        var options = new HttpsConnectionAdapterOptions();
-        listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
-        configureOptions(options);
-        listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
-
-        if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
+        return listenOptions.UseHttps(new Lazy<HttpsConnectionAdapterOptions>(() =>
         {
-            throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
-        }
+            // We defer configuration of the https options until build time so that the IConfiguration will be available.
+            // This is particularly important in docker containers, where the docker tools use IConfiguration to tell
+            // us where the development certificates have been mounted.
 
-        return listenOptions.UseHttps(options);
-    }
-
-    // Use Https if a default cert is available
-    internal static bool TryUseHttps(this ListenOptions listenOptions)
-    {
-        var options = new HttpsConnectionAdapterOptions();
-        listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
-        listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
+            var options = new HttpsConnectionAdapterOptions();
+            listenOptions.KestrelServerOptions.ApplyHttpsDefaults(options);
+            configureOptions(options);
+            listenOptions.KestrelServerOptions.ApplyDefaultCert(options);
 
-        if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
-        {
-            return false;
-        }
+            if (options.ServerCertificate == null && options.ServerCertificateSelector == null)
+            {
+                throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
+            }
 
-        listenOptions.UseHttps(options);
-        return true;
+            return options;
+        }));
     }
 
     /// <summary>
@@ -201,16 +192,28 @@ internal static bool TryUseHttps(this ListenOptions listenOptions)
     /// <returns>The <see cref="ListenOptions"/>.</returns>
     public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConnectionAdapterOptions httpsOptions)
     {
-        var loggerFactory = listenOptions.KestrelServerOptions?.ApplicationServices.GetRequiredService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
+        return listenOptions.UseHttps(new Lazy<HttpsConnectionAdapterOptions>(httpsOptions));
+    }
 
+    /// <summary>
+    /// Configure Kestrel to use HTTPS. This does not use default certificates or other defaults specified via config or
+    /// <see cref="KestrelServerOptions.ConfigureHttpsDefaults(Action{HttpsConnectionAdapterOptions})"/>.
+    /// </summary>
+    /// <param name="listenOptions">The <see cref="ListenOptions"/> to configure.</param>
+    /// <param name="lazyHttpsOptions">Options to configure HTTPS.</param>
+    /// <returns>The <see cref="ListenOptions"/>.</returns>
+    private static ListenOptions UseHttps(this ListenOptions listenOptions, Lazy<HttpsConnectionAdapterOptions> lazyHttpsOptions)
+    {
         listenOptions.IsTls = true;
-        listenOptions.HttpsOptions = httpsOptions;
+        listenOptions.HttpsOptions = lazyHttpsOptions;
 
+        // NB: This lambda will only be invoked if either HTTP/1.* or HTTP/2 is being used
         listenOptions.Use(next =>
         {
-            // Set the list of protocols from listen options
-            httpsOptions.HttpProtocols = listenOptions.Protocols;
-            var middleware = new HttpsConnectionMiddleware(next, httpsOptions, loggerFactory);
+            // Evaluate the HttpsConnectionAdapterOptions, now that the configuration, if any, has been loaded
+            var httpsOptions = listenOptions.HttpsOptions.Value;
+            var loggerFactory = listenOptions.KestrelServerOptions?.ApplicationServices.GetRequiredService<ILoggerFactory>() ?? NullLoggerFactory.Instance;
+            var middleware = new HttpsConnectionMiddleware(next, httpsOptions, listenOptions.Protocols, loggerFactory);
             return middleware.OnConnectionAsync;
         });
 
@@ -270,6 +273,7 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, TlsHandsh
         listenOptions.IsTls = true;
         listenOptions.HttpsCallbackOptions = callbackOptions;
 
+        // NB: This lambda will only be invoked if either HTTP/1.* or HTTP/2 is being used
         listenOptions.Use(next =>
         {
             // Set the list of protocols from listen options.
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -33,6 +33,9 @@ internal sealed class HttpsConnectionMiddleware
     private readonly ILogger<HttpsConnectionMiddleware> _logger;
     private readonly Func<Stream, SslStream> _sslStreamFactory;
 
+    // Internal for testing
+    internal readonly HttpProtocols _httpProtocols;
+
     // The following fields are only set by HttpsConnectionAdapterOptions ctor.
     private readonly HttpsConnectionAdapterOptions? _options;
     private readonly SslStreamCertificateContext? _serverCertificateContext;
@@ -42,17 +45,16 @@ internal sealed class HttpsConnectionMiddleware
     // The following fields are only set by TlsHandshakeCallbackOptions ctor.
     private readonly Func<TlsHandshakeCallbackContext, ValueTask<SslServerAuthenticationOptions>>? _tlsCallbackOptions;
     private readonly object? _tlsCallbackOptionsState;
-    private readonly HttpProtocols _httpProtocols;
 
     // Pool for cancellation tokens that cancel the handshake
     private readonly CancellationTokenSourcePool _ctsPool = new();
 
-    public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options)
-      : this(next, options, loggerFactory: NullLoggerFactory.Instance)
+    public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options, HttpProtocols httpProtocols)
+      : this(next, options, httpProtocols, loggerFactory: NullLoggerFactory.Instance)
     {
     }
 
-    public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options, ILoggerFactory loggerFactory)
+    public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapterOptions options, HttpProtocols httpProtocols, ILoggerFactory loggerFactory)
     {
         ArgumentNullException.ThrowIfNull(options);
 
@@ -72,7 +74,7 @@ public HttpsConnectionMiddleware(ConnectionDelegate next, HttpsConnectionAdapter
         //_sslStreamFactory = s => new SslStream(s);
 
         _options = options;
-        _options.HttpProtocols = ValidateAndNormalizeHttpProtocols(_options.HttpProtocols, _logger);
+        _httpProtocols = ValidateAndNormalizeHttpProtocols(httpProtocols, _logger);
 
         // capture the certificate now so it can't be switched after validation
         _serverCertificate = options.ServerCertificate;
@@ -320,7 +322,7 @@ private Task DoOptionsBasedHandshakeAsync(ConnectionContext context, SslStream s
             CertificateRevocationCheckMode = _options.CheckCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
         };
 
-        ConfigureAlpn(sslOptions, _options.HttpProtocols);
+        ConfigureAlpn(sslOptions, _httpProtocols);
 
         _options.OnAuthenticate?.Invoke(context, sslOptions);
 
diff --git a/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs b/src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
@@ -252,6 +252,104 @@ public void ConfigureEndpointDevelopmentCertificateGetsLoadedWhenPresent()
         }
     }
 
+    [Fact]
+    public void LoadDevelopmentCertificate_ConfigureFirst()
+    {
+        try
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("aspnetdevcert.pfx"), "testPassword", X509KeyStorageFlags.Exportable);
+            var bytes = certificate.Export(X509ContentType.Pkcs12, "1234");
+            var path = GetCertificatePath();
+            Directory.CreateDirectory(Path.GetDirectoryName(path));
+            File.WriteAllBytes(path, bytes);
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Certificates:Development:Password", "1234"),
+            }).Build();
+
+            serverOptions.Configure(config);
+
+            Assert.Null(serverOptions.DefaultCertificate);
+
+            serverOptions.ConfigurationLoader.Load();
+
+            Assert.NotNull(serverOptions.DefaultCertificate);
+            Assert.Equal(serverOptions.DefaultCertificate.SerialNumber, certificate.SerialNumber);
+
+            var ran1 = false;
+            serverOptions.ListenAnyIP(4545, listenOptions =>
+            {
+                ran1 = true;
+                listenOptions.UseHttps();
+            });
+            Assert.True(ran1);
+
+            var listenOptions = serverOptions.CodeBackedListenOptions.Single();
+            Assert.False(listenOptions.HttpsOptions.IsValueCreated);
+            listenOptions.Build();
+            Assert.True(listenOptions.HttpsOptions.IsValueCreated);
+            Assert.Equal(listenOptions.HttpsOptions.Value.ServerCertificate?.SerialNumber, certificate.SerialNumber);
+        }
+        finally
+        {
+            if (File.Exists(GetCertificatePath()))
+            {
+                File.Delete(GetCertificatePath());
+            }
+        }
+    }
+
+    [Fact]
+    public void LoadDevelopmentCertificate_UseHttpsFirst()
+    {
+        try
+        {
+            var serverOptions = CreateServerOptions();
+            var certificate = new X509Certificate2(TestResources.GetCertPath("aspnetdevcert.pfx"), "testPassword", X509KeyStorageFlags.Exportable);
+            var bytes = certificate.Export(X509ContentType.Pkcs12, "1234");
+            var path = GetCertificatePath();
+            Directory.CreateDirectory(Path.GetDirectoryName(path));
+            File.WriteAllBytes(path, bytes);
+
+            var ran1 = false;
+            serverOptions.ListenAnyIP(4545, listenOptions =>
+            {
+                ran1 = true;
+                listenOptions.UseHttps();
+            });
+            Assert.True(ran1);
+
+            var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
+            {
+                new KeyValuePair<string, string>("Certificates:Development:Password", "1234"),
+            }).Build();
+
+            serverOptions.Configure(config);
+
+            Assert.Null(serverOptions.DefaultCertificate);
+
+            serverOptions.ConfigurationLoader.Load();
+
+            Assert.NotNull(serverOptions.DefaultCertificate);
+            Assert.Equal(serverOptions.DefaultCertificate.SerialNumber, certificate.SerialNumber);
+
+            var listenOptions = serverOptions.CodeBackedListenOptions.Single();
+            Assert.False(listenOptions.HttpsOptions.IsValueCreated);
+            listenOptions.Build();
+            Assert.True(listenOptions.HttpsOptions.IsValueCreated);
+            Assert.Equal(listenOptions.HttpsOptions.Value.ServerCertificate?.SerialNumber, certificate.SerialNumber);
+        }
+        finally
+        {
+            if (File.Exists(GetCertificatePath()))
+            {
+                File.Delete(GetCertificatePath());
+            }
+        }
+    }
+
     [Fact]
     public void ConfigureEndpoint_ThrowsWhen_The_PasswordIsMissing()
     {
@@ -730,6 +828,8 @@ public void EndpointConfigureSection_CanSetSslProtocol()
             });
         });
 
+        _ = serverOptions.CodeBackedListenOptions.Single().HttpsOptions.Value; // Force evaluation
+
         Assert.True(ranDefault);
         Assert.True(ran1);
         Assert.True(ran2);
@@ -865,6 +965,8 @@ public void EndpointConfigureSection_CanSetClientCertificateMode()
             });
         });
 
+        _ = serverOptions.CodeBackedListenOptions.Single().HttpsOptions.Value; // Force evaluation
+
         Assert.True(ranDefault);
         Assert.True(ran1);
         Assert.True(ran2);
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
@@ -228,7 +228,8 @@ void ConfigureListenOptions(ListenOptions listenOptions)
     public void ThrowsWhenNoServerCertificateIsProvided()
     {
         Assert.Throws<ArgumentException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask,
-            new HttpsConnectionAdapterOptions())
+            new HttpsConnectionAdapterOptions(),
+            ListenOptions.DefaultHttpProtocols)
             );
     }
 
@@ -1268,7 +1269,8 @@ public void AcceptsCertificateWithoutExtensions(string testCertName)
         new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions
         {
             ServerCertificate = cert,
-        });
+        },
+        ListenOptions.DefaultHttpProtocols);
     }
 
     [Theory]
@@ -1286,7 +1288,8 @@ public void ValidatesEnhancedKeyUsageOnCertificate(string testCertName)
         new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions
         {
             ServerCertificate = cert,
-        });
+        },
+        ListenOptions.DefaultHttpProtocols);
     }
 
     [Theory]
@@ -1305,7 +1308,7 @@ public void ThrowsForCertificatesMissingServerEku(string testCertName)
             new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions
             {
                 ServerCertificate = cert,
-            }));
+            }, ListenOptions.DefaultHttpProtocols));
 
         Assert.Equal(CoreStrings.FormatInvalidServerCertificateEku(cert.Thumbprint), ex.Message);
     }
@@ -1352,11 +1355,10 @@ public void Http1AndHttp2DowngradeToHttp1ForHttpsOnIncompatibleWindowsVersions()
         var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions
         {
             ServerCertificate = _x509Certificate2,
-            HttpProtocols = HttpProtocols.Http1AndHttp2
         };
-        new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);
+        var middleware = new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http1AndHttp2);
 
-        Assert.Equal(HttpProtocols.Http1, httpConnectionAdapterOptions.HttpProtocols);
+        Assert.Equal(HttpProtocols.Http1, middleware._httpProtocols);
     }
 
     [ConditionalFact]
@@ -1367,11 +1369,10 @@ public void Http1AndHttp2DoesNotDowngradeOnCompatibleWindowsVersions()
         var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions
         {
             ServerCertificate = _x509Certificate2,
-            HttpProtocols = HttpProtocols.Http1AndHttp2
         };
-        new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);
+        var middleware = new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http1AndHttp2);
 
-        Assert.Equal(HttpProtocols.Http1AndHttp2, httpConnectionAdapterOptions.HttpProtocols);
+        Assert.Equal(HttpProtocols.Http1AndHttp2, middleware._httpProtocols);
     }
 
     [ConditionalFact]
@@ -1382,10 +1383,9 @@ public void Http2ThrowsOnIncompatibleWindowsVersions()
         var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions
         {
             ServerCertificate = _x509Certificate2,
-            HttpProtocols = HttpProtocols.Http2
         };
 
-        Assert.Throws<NotSupportedException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions));
+        Assert.Throws<NotSupportedException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http2));
     }
 
     [ConditionalFact]
@@ -1396,11 +1396,10 @@ public void Http2DoesNotThrowOnCompatibleWindowsVersions()
         var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions
         {
             ServerCertificate = _x509Certificate2,
-            HttpProtocols = HttpProtocols.Http2
         };
 
         // Does not throw
-        new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);
+        new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http2);
     }
 
     private static async Task App(HttpContext httpContext)
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
diff --git a/src/Servers/Kestrel/test/Interop.FunctionalTests/Http3/Http3TlsTests.cs b/src/Servers/Kestrel/test/Interop.FunctionalTests/Http3/Http3TlsTests.cs

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public async Task<EndPoint> BindAsync(EndPoint endPoint, MultiplexedConnectionDe`
`77`	`77`	`// The QUIC transport will check if TlsConnectionCallbackOptions is missing.`
`78`	`78`	`if (listenOptions.HttpsOptions != null)`
`79`	`79`	`{`
`80`		`- var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions);`
	`80`	`+ var sslServerAuthenticationOptions = HttpsConnectionMiddleware.CreateHttp3Options(listenOptions.HttpsOptions.Value);`
`81`	`81`	`features.Set(new TlsConnectionCallbackOptions`
`82`	`82`	`{`
`83`	`83`	`ApplicationProtocols = sslServerAuthenticationOptions.ApplicationProtocols ?? new List<SslApplicationProtocol> { SslApplicationProtocol.Http3 },`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,8 @@ internal string Scheme`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`internal bool IsTls { get; set; }`
`143`		`- internal HttpsConnectionAdapterOptions? HttpsOptions { get; set; }`
	`143`	`+ /// <remarks>Should not be inspected until the configuration has been loaded.</remarks>`
	`144`	`+ internal Lazy<HttpsConnectionAdapterOptions>? HttpsOptions { get; set; }`
`144`	`145`	`internal TlsHandshakeCallbackOptions? HttpsCallbackOptions { get; set; }`
`145`	`146`
`146`	`147`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -228,7 +228,8 @@ void ConfigureListenOptions(ListenOptions listenOptions)`
`228`	`228`	`public void ThrowsWhenNoServerCertificateIsProvided()`
`229`	`229`	`{`
`230`	`230`	`Assert.Throws<ArgumentException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask,`
`231`		`- new HttpsConnectionAdapterOptions())`
	`231`	`+ new HttpsConnectionAdapterOptions(),`
	`232`	`+ ListenOptions.DefaultHttpProtocols)`
`232`	`233`	`);`
`233`	`234`	`}`
`234`	`235`
`@@ -1268,7 +1269,8 @@ public void AcceptsCertificateWithoutExtensions(string testCertName)`
`1268`	`1269`	`new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions`
`1269`	`1270`	`{`
`1270`	`1271`	`ServerCertificate = cert,`
`1271`		`- });`
	`1272`	`+ },`
	`1273`	`+ ListenOptions.DefaultHttpProtocols);`
`1272`	`1274`	`}`
`1273`	`1275`
`1274`	`1276`	`[Theory]`
`@@ -1286,7 +1288,8 @@ public void ValidatesEnhancedKeyUsageOnCertificate(string testCertName)`
`1286`	`1288`	`new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions`
`1287`	`1289`	`{`
`1288`	`1290`	`ServerCertificate = cert,`
`1289`		`- });`
	`1291`	`+ },`
	`1292`	`+ ListenOptions.DefaultHttpProtocols);`
`1290`	`1293`	`}`
`1291`	`1294`
`1292`	`1295`	`[Theory]`
`@@ -1305,7 +1308,7 @@ public void ThrowsForCertificatesMissingServerEku(string testCertName)`
`1305`	`1308`	`new HttpsConnectionMiddleware(context => Task.CompletedTask, new HttpsConnectionAdapterOptions`
`1306`	`1309`	`{`
`1307`	`1310`	`ServerCertificate = cert,`
`1308`		`- }));`
	`1311`	`+ }, ListenOptions.DefaultHttpProtocols));`
`1309`	`1312`
`1310`	`1313`	`Assert.Equal(CoreStrings.FormatInvalidServerCertificateEku(cert.Thumbprint), ex.Message);`
`1311`	`1314`	`}`
`@@ -1352,11 +1355,10 @@ public void Http1AndHttp2DowngradeToHttp1ForHttpsOnIncompatibleWindowsVersions()`
`1352`	`1355`	`var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions`
`1353`	`1356`	`{`
`1354`	`1357`	`ServerCertificate = _x509Certificate2,`
`1355`		`- HttpProtocols = HttpProtocols.Http1AndHttp2`
`1356`	`1358`	`};`
`1357`		`- new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);`
	`1359`	`+ var middleware = new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http1AndHttp2);`
`1358`	`1360`
`1359`		`- Assert.Equal(HttpProtocols.Http1, httpConnectionAdapterOptions.HttpProtocols);`
	`1361`	`+ Assert.Equal(HttpProtocols.Http1, middleware._httpProtocols);`
`1360`	`1362`	`}`
`1361`	`1363`
`1362`	`1364`	`[ConditionalFact]`
`@@ -1367,11 +1369,10 @@ public void Http1AndHttp2DoesNotDowngradeOnCompatibleWindowsVersions()`
`1367`	`1369`	`var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions`
`1368`	`1370`	`{`
`1369`	`1371`	`ServerCertificate = _x509Certificate2,`
`1370`		`- HttpProtocols = HttpProtocols.Http1AndHttp2`
`1371`	`1372`	`};`
`1372`		`- new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);`
	`1373`	`+ var middleware = new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http1AndHttp2);`
`1373`	`1374`
`1374`		`- Assert.Equal(HttpProtocols.Http1AndHttp2, httpConnectionAdapterOptions.HttpProtocols);`
	`1375`	`+ Assert.Equal(HttpProtocols.Http1AndHttp2, middleware._httpProtocols);`
`1375`	`1376`	`}`
`1376`	`1377`
`1377`	`1378`	`[ConditionalFact]`
`@@ -1382,10 +1383,9 @@ public void Http2ThrowsOnIncompatibleWindowsVersions()`
`1382`	`1383`	`var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions`
`1383`	`1384`	`{`
`1384`	`1385`	`ServerCertificate = _x509Certificate2,`
`1385`		`- HttpProtocols = HttpProtocols.Http2`
`1386`	`1386`	`};`
`1387`	`1387`
`1388`		`- Assert.Throws<NotSupportedException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions));`
	`1388`	`+ Assert.Throws<NotSupportedException>(() => new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http2));`
`1389`	`1389`	`}`
`1390`	`1390`
`1391`	`1391`	`[ConditionalFact]`
`@@ -1396,11 +1396,10 @@ public void Http2DoesNotThrowOnCompatibleWindowsVersions()`
`1396`	`1396`	`var httpConnectionAdapterOptions = new HttpsConnectionAdapterOptions`
`1397`	`1397`	`{`
`1398`	`1398`	`ServerCertificate = _x509Certificate2,`
`1399`		`- HttpProtocols = HttpProtocols.Http2`
`1400`	`1399`	`};`
`1401`	`1400`
`1402`	`1401`	`// Does not throw`
`1403`		`- new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions);`
	`1402`	`+ new HttpsConnectionMiddleware(context => Task.CompletedTask, httpConnectionAdapterOptions, HttpProtocols.Http2);`
`1404`	`1403`	`}`
`1405`	`1404`
`1406`	`1405`	`private static async Task App(HttpContext httpContext)`