dotnet · DeagleGross · Sep 19, 2025 · Sep 15, 2025 · Sep 15, 2025 · Sep 15, 2025
@@ -6,6 +6,7 @@
 using System.Reflection;
 using System.Runtime.InteropServices;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Connections.Features;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
@@ -30,6 +31,7 @@
 {
     var connectionFeature = context.Features.GetRequiredFeature<IHttpConnectionFeature>();
     var httpSysPropFeature = context.Features.GetRequiredFeature<IHttpSysRequestPropertyFeature>();
+    var tlsHandshakeFeature = context.Features.GetRequiredFeature<ITlsHandshakeFeature>();
 
     // first time invocation to find out required size
     var success = httpSysPropFeature.TryGetTlsClientHello(Array.Empty<byte>(), out var bytesReturned);
@@ -41,7 +43,14 @@
     success = httpSysPropFeature.TryGetTlsClientHello(bytes, out _);
     Debug.Assert(success);
 
-    await context.Response.WriteAsync($"[Response] connectionId={connectionFeature.ConnectionId}; tlsClientHello.length={bytesReturned}; tlsclienthello start={string.Join(' ', bytes.AsSpan(0, 30).ToArray())}");
+    await context.Response.WriteAsync(
+        $"""
+            connectionId            = {connectionFeature.ConnectionId};
+            negotiated cipher suite = {tlsHandshakeFeature.NegotiatedCipherSuite}; 
+            tlsClientHello.length   = {bytesReturned};
+            tlsclienthello start    = {string.Join(' ', bytes.AsSpan(0, 30).ToArray())}
+        """);
+
     await next(context);
 });
 

@@ -60,4 +60,5 @@ internal static class LoggerEventIds
     public const int AcceptObserveExpectationMismatch = 53;
     public const int RequestParsingError = 54;
     public const int TlsListenerError = 55;
+    public const int QueryTlsCipherSuiteError = 56;
 }
@@ -70,6 +70,7 @@ internal static unsafe uint HttpSetRequestProperty(SafeHandle requestQueueHandle
     internal static bool SupportsReset { get; }
     internal static bool SupportsDelegation { get; }
     internal static bool SupportsClientHello { get; }
+    internal static bool SupportsQueryTlsCipherInfo { get; }
     internal static bool Supported { get; }
 
     static unsafe HttpApi()
@@ -86,6 +87,7 @@ static unsafe HttpApi()
             SupportsTrailers = IsFeatureSupported(HTTP_FEATURE_ID.HttpFeatureResponseTrailers);
             SupportsDelegation = IsFeatureSupported(HTTP_FEATURE_ID.HttpFeatureDelegateEx);
             SupportsClientHello = IsFeatureSupported((HTTP_FEATURE_ID)11 /* HTTP_FEATURE_ID.HttpFeatureCacheTlsClientHello */) && HttpGetRequestPropertySupported;
+            SupportsQueryTlsCipherInfo = IsFeatureSupported((HTTP_FEATURE_ID)15 /* HTTP_FEATURE_ID.HttpFeatureQueryCipherInfo */) && HttpGetRequestPropertySupported;
         }
     }
 

diff --git a/src/Servers/HttpSys/src/NativeInterop/Types/SecPkgContext_CipherInfo.cs b/src/Servers/HttpSys/src/NativeInterop/Types/SecPkgContext_CipherInfo.cs
@@ -0,0 +1,29 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNetCore.Server.HttpSys.NativeInterop.Types;
+
+// From Schannel.h
+[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+internal unsafe struct SecPkgContext_CipherInfo
+{
+    private const int SZ_ALG_MAX_SIZE = 64;
+
+    private readonly int dwVersion;
+    private readonly int dwProtocol;
+    public readonly int dwCipherSuite;
+    private readonly int dwBaseCipherSuite;
+    private fixed char szCipherSuite[SZ_ALG_MAX_SIZE];
+    private fixed char szCipher[SZ_ALG_MAX_SIZE];
+    private readonly int dwCipherLen;
+    private readonly int dwCipherBlockLen; // in bytes
+    private fixed char szHash[SZ_ALG_MAX_SIZE];
+    private readonly int dwHashLen;
+    private fixed char szExchange[SZ_ALG_MAX_SIZE];
+    private readonly int dwMinExchangeLen;
+    private readonly int dwMaxExchangeLen;
+    private fixed char szCertificate[SZ_ALG_MAX_SIZE];
+    private readonly int dwKeyType;
+}
@@ -3,6 +3,7 @@
 
 using System.Globalization;
 using System.Net;
+using System.Net.Security;
 using System.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography;
@@ -334,6 +335,8 @@ private AspNetCore.HttpSys.Internal.SocketAddress LocalEndPoint
 
     public SslProtocols Protocol { get; private set; }
 
+    public TlsCipherSuite? NegotiatedCipherSuite { get; private set; }
+
     [Obsolete(Obsoletions.RuntimeTlsCipherAlgorithmEnumsMessage, DiagnosticId = Obsoletions.RuntimeTlsCipherAlgorithmEnumsDiagId, UrlFormat = Obsoletions.RuntimeSharedUrlFormat)]
     public CipherAlgorithmType CipherAlgorithm { get; private set; }
 
@@ -356,6 +359,8 @@ private void GetTlsHandshakeResults()
     {
         var handshake = RequestContext.GetTlsHandshake();
         Protocol = (SslProtocols)handshake.Protocol;
+
+        NegotiatedCipherSuite = RequestContext.GetTlsCipherSuite();
 #pragma warning disable SYSLIB0058 // Type or member is obsolete
         CipherAlgorithm = (CipherAlgorithmType)handshake.CipherType;
         CipherStrength = (int)handshake.CipherStrength;

@@ -5,6 +5,7 @@
 using System.Globalization;
 using System.IO.Pipelines;
 using System.Net;
+using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
@@ -593,6 +594,8 @@ bool IHttpBodyControlFeature.AllowSynchronousIO
 
     SslProtocols ITlsHandshakeFeature.Protocol => Request.Protocol;
 
+    TlsCipherSuite? ITlsHandshakeFeature.NegotiatedCipherSuite => Request.NegotiatedCipherSuite;
+
 #pragma warning disable SYSLIB0058 // Type or member is obsolete
     CipherAlgorithmType ITlsHandshakeFeature.CipherAlgorithm => Request.CipherAlgorithm;
 

@@ -23,5 +23,8 @@ private static partial class Log
 
         [LoggerMessage(LoggerEventIds.RequestParsingError, LogLevel.Debug, "Failed to invoke QueryTlsClientHello; RequestId: {RequestId}; Win32 Error code: {Win32Error}", EventName = "TlsClientHelloRetrieveError")]
         public static partial void TlsClientHelloRetrieveError(ILogger logger, ulong requestId, uint win32Error);
+
+        [LoggerMessage(LoggerEventIds.QueryTlsCipherSuiteError, LogLevel.Debug, "Failed to invoke QueryTlsCipherSuite; RequestId: {RequestId}; Win32 Error code: {Win32Error}", EventName = "QueryTlsCipherSuiteError")]
+        public static partial void QueryTlsCipherSuiteError(ILogger logger, ulong requestId, uint win32Error);
     }
 }
@@ -1,10 +1,12 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Net.Security;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpSys.Internal;
+using Microsoft.AspNetCore.Server.HttpSys.NativeInterop.Types;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Windows.Win32;
@@ -219,6 +221,46 @@ internal void ForceCancelRequest()
         }
     }
 
+    /// <summary>
+    /// Gets TLS cipher suite used for the request, if supported by the OS and http.sys.
+    /// </summary>
+    /// <returns>
+    /// null, if query of TlsCipherSuite is not supported or the query failed.
+    /// TlsCipherSuite value, if query is successful.
+    /// </returns>
+    internal unsafe TlsCipherSuite? GetTlsCipherSuite()
+    {
+        if (!HttpApi.SupportsQueryTlsCipherInfo)
+        {
+            return default;
+        }
+
+        var requestId = PinsReleased ? Request.RequestId : RequestId;
+
+        SecPkgContext_CipherInfo cipherInfo = default;
+        uint bytesReturned = 0;
+
+        var statusCode = HttpApi.HttpGetRequestProperty(
+            requestQueueHandle: Server.RequestQueue.Handle,
+            requestId,
+            propertyId: (HTTP_REQUEST_PROPERTY)14 /* HTTP_REQUEST_PROPERTY.HttpRequestPropertyTlsCipherInfo */,
+            qualifier: null,
+            qualifierSize: 0,
+            output: &cipherInfo,
+            outputSize: (uint)sizeof(SecPkgContext_CipherInfo),
+            bytesReturned: (IntPtr)(&bytesReturned),
+            overlapped: IntPtr.Zero);
+
+        if (statusCode is ErrorCodes.ERROR_SUCCESS)
+        {
+            return (TlsCipherSuite)cipherInfo.dwCipherSuite;
+        }
+
+        // OS supports querying TlsCipherSuite, but request failed.
+        Log.QueryTlsCipherSuiteError(Logger, requestId, statusCode);
+        return null;
+    }
+
     /// <summary>
     /// Attempts to get the client hello message bytes from the http.sys.
     /// If successful writes the bytes into <paramref name="destination"/>, and shows how many bytes were written in <paramref name="bytesReturned"/>.

@@ -18,6 +18,7 @@
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.HttpSys.Internal;
 using Microsoft.AspNetCore.Server.IIS.Core.IO;
+using Microsoft.AspNetCore.Server.IIS.Core.Native;
 using Microsoft.AspNetCore.Shared;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
@@ -402,6 +403,8 @@ private void GetTlsHandshakeResults()
     {
         var handshake = GetTlsHandshake();
         Protocol = (SslProtocols)handshake.Protocol;
+
+        NegotiatedCipherSuite = GetTlsCipherSuite();
 #pragma warning disable SYSLIB0058 // Type or member is obsolete
         CipherAlgorithm = (CipherAlgorithmType)handshake.CipherType;
         CipherStrength = (int)handshake.CipherStrength;
@@ -415,6 +418,33 @@ private void GetTlsHandshakeResults()
         SniHostName = sni.Hostname.ToString();
     }
 
+    private unsafe TlsCipherSuite? GetTlsCipherSuite()
+    {
+        var size = sizeof(SecPkgContext_CipherInfo);
+        var buffer = new byte[size];
+
+        fixed (byte* pBuffer = buffer)
+        {
+            var statusCode = NativeMethods.HttpQueryRequestProperty(
+                RequestId,
+                (HTTP_REQUEST_PROPERTY)14 /* HTTP_REQUEST_PROPERTY.HttpRequestPropertyTlsCipherInfo */,
+                qualifier: null,
+                qualifierSize: 0,
+                (void*)pBuffer,
+                (uint)buffer.Length,
+                bytesReturned: null,
+                IntPtr.Zero);
+
+            if (statusCode == NativeMethods.HR_OK)
+            {
+                var cipherInfo = Marshal.PtrToStructure<SecPkgContext_CipherInfo>((IntPtr)pBuffer);
+                return (TlsCipherSuite)cipherInfo.dwCipherSuite;
+            }
+
+            return default;
+        }
+    }
+
     private unsafe HTTP_REQUEST_PROPERTY_SNI GetClientSni()
     {
         var buffer = new byte[HttpApiTypes.SniPropertySizeInBytes];

diff --git a/src/Servers/IIS/IIS/src/Core/Native/SecPkgContext_CipherInfo.cs b/src/Servers/IIS/IIS/src/Core/Native/SecPkgContext_CipherInfo.cs
@@ -0,0 +1,30 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Runtime.InteropServices;
+
+namespace Microsoft.AspNetCore.Server.IIS.Core.Native;
+
+// From Schannel.h
+[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+internal unsafe struct SecPkgContext_CipherInfo
+{
+    private const int SZ_ALG_MAX_SIZE = 64;
+
+    private readonly int dwVersion;
+    private readonly int dwProtocol;
+    public readonly int dwCipherSuite;
+    private readonly int dwBaseCipherSuite;
+    private fixed char szCipherSuite[SZ_ALG_MAX_SIZE];
+    private fixed char szCipher[SZ_ALG_MAX_SIZE];
+    private readonly int dwCipherLen;
+    private readonly int dwCipherBlockLen; // in bytes
+    private fixed char szHash[SZ_ALG_MAX_SIZE];
+    private readonly int dwHashLen;
+    private fixed char szExchange[SZ_ALG_MAX_SIZE];
+    private readonly int dwMinExchangeLen;
+    private readonly int dwMaxExchangeLen;
+    private fixed char szCertificate[SZ_ALG_MAX_SIZE];
+    private readonly int dwKeyType;
+}
+