aspnetcore
aspnetcore copied to clipboard
dotnet
Kestrel: Support full cert chain
@davidfowl does this sorta resemble what you had in mind? I tried to take what was in https://github.com/dotnet/aspnetcore/issues/21513 and https://github.com/dotnet/aspnetcore/pull/24935
Does full chain include the leaf cert or is it just the intermediates? Looking at this PR I did a while back it seems like they were intermediates? Maybe we can support both but that means doing some logic to see if the full chain includes the leaf (maybe?)
Does full chain include the leaf cert or is it just the intermediates
@davidfowl I'm not sure, but it looks like you were involved in the API design of the X509Certificate2Collection.ImportFromPemFile from here: https://github.com/dotnet/runtime/issues/31944
I'm still trying to make sense of this stuff, but in case this refreshes your memory faster than I get there...
Link to the PR that adds these APIs is here: https://github.com/dotnet/runtime/pull/38280/files#diff-dbecad4bd3d918d3af329011f49c4fc79e1347d86f9bd51d15674ec48fd9f33cR262
So from the tests in the PR: https://github.com/dotnet/runtime/pull/38280/files#diff-43d4431a84a8bd471a7795198aaa4570de224ad144ef8633be53dbb179540172R1473
I think we would get all the certs right? So the leaf would be included, why would we only want the intermediates?
@HaoK it was common in other servers and what you end up getting when you use lets encrypt or certs in the non pfx format.
e.g. When you run Lets encrypt + certbot this is what I ended up with
/etc/letsencrypt/live/<domain>/privkey.pem
/etc/letsencrypt/live/<domain>/cert.pem
/etc/letsencrypt/live/<domain>/chain.pem
The chain file didn't include cert.pem (the leaf cert). So we don't want customers to have to do any more processing of these files once they get them. Before we natively support PEM, they had to run something to turn it into a pfx (Which sucked). Now we support PEM and they can pass the private key and cert, and the chain is downloaded at startup (it used to be on the first connection). This change completes the cycle and now lets you specify either the fullchain or the leaf+ intermediates.
I believe its also possible to output a fullchain.pem, so maybe that is what we tell people to use?
I had worked around the issue and created a library at https://github.com/MarkCiliaVincenti/TlsCertificateLoader
So I created a test cert chain (root_ca -> intermediate_1 -> intermediate_2 -> leaf.com (which is the bundled certs) using smallstep/cli (which was amazingly easy)
This PR when loading the leaf.com crt bundle as the FullChain results in:
leaf.com (signed by intermediate 2) intermediate_2 (signed by intermediate 1)
@davidfowl does this match what your expectations would be?
I added a test in the SniOptionsSelectorTests to verify the cert chain, I'm not sure if we have other tests which exercise certs, @halter73 can you point to places/suggest what other tests should I add for this?
Does full chain include the leaf cert
It appears so, at least the smallstep cli --bundle command does.
cc @blowdart to take a look at all this too
Chain shouldn't include the actual cert for the site, but it's not a well defined term at all, so you can't make the assumption.
Windows exports are for the leaf and you can then include the chain with it, openssl and CAs provide the chain as a separate bundle.
I added a test in the SniOptionsSelectorTests to verify the cert chain, I'm not sure if we have other tests which exercise certs, @halter73 can you point to places/suggest what other tests should I add for this?
KestrelConfigurationLoaderTests has a bunch of cert related tests. There's also HttpsConnectionMiddlewareTests.
@bartonjs would you be able to take a look and see if this PR looks good overall? We'd love sign off from a cert expert that this looks good.
@HaoK, this change will be considered for inclusion in the blog post for the release it'll ship in. Nice work!
Please ensure that the original comment in this thread contains a clear explanation of what the change does, why it's important (what problem does it solve?), and, if relevant, include things like code samples and/or performance numbers.
This content may not be exactly what goes into the blog post, but it will help the team putting together the announcement.
Thanks!
