Beispiel #1
0
        public ECDHEKeyExchange(
            IServiceProvider serviceProvider,
            IRandom random,

            MasterSecretCalculator masterSecretCalculator,
            CipherSuitesRegistry cipherSuitesRegistry,
            NamedCurvesRegistry namedCurvesRegistry,

            ECDHExchangeConfig ecdhExchangeConfig,
            SupportedGroupsConfig supportedGroupsConfig,
            CertificateConfig certificateConfig)
            : base(
                masterSecretCalculator,
                cipherSuitesRegistry,

                ecdhExchangeConfig,
                certificateConfig)
        {
            _serviceProvider = serviceProvider;
            _random          = random;

            _namedCurvesRegistry = namedCurvesRegistry;

            _supportedGroupsConfig = supportedGroupsConfig;
        }
 public RSACipherParameterFactory(
     CertificateManager certificateManager,
     CertificateConfig certificateConfig)
 {
     _certificateManager = certificateManager;
     _certificateConfig  = certificateConfig;
 }
Beispiel #3
0
        private X509Certificate2 LoadPEMCertificate(CertificateConfig certificateConfig, string certificatePath)
        {
            var certificateKeyPath = Path.Combine(_hostEnvironment.ContentRootPath, certificateConfig.KeyPath);
            var certificate        = GetCertificate(certificatePath);

            if (certificate != null)
            {
                certificate = LoadCertificateKey(certificate, certificateKeyPath, certificateConfig.Password);
            }
            else
            {
                throw GetFailedToLoadCertificateKeyException(certificateKeyPath);
            }

            if (certificate != null)
            {
                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                {
                    return(PersistKey(certificate));
                }

                return(certificate);
            }

            throw GetFailedToLoadCertificateKeyException(certificateKeyPath);
        }
Beispiel #4
0
        public X509Certificate2 LoadCertificate(CertificateConfig certificateConfig)
        {
            if (certificateConfig is null)
            {
                return(null);
            }
            if (certificateConfig.IsFileCert && certificateConfig.IsStoreCert)
            {
                throw new InvalidOperationException($"Multiple certificate sources are defined in the cluster configuration.");
            }
            else if (certificateConfig.IsFileCert)
            {
                var certificatePath = Path.Combine(_hostEnvironment.ContentRootPath, certificateConfig.Path);
                if (string.IsNullOrWhiteSpace(certificateConfig.KeyPath))
                {
                    return(new X509Certificate2(Path.Combine(_hostEnvironment.ContentRootPath, certificateConfig.Path), certificateConfig.Password));
                }
                else
                {
#if NET5_0
                    return(LoadPEMCertificate(certificateConfig, certificatePath));
#elif NETCOREAPP3_1
                    throw new NotSupportedException("PEM certificate format is only supported on .NET 5 or higher.");
#else
#error A target framework was added to the project and needs to be added to this condition.
#endif
                }
            }
            else if (certificateConfig.IsStoreCert)
            {
                return(LoadFromCertStore(certificateConfig));
            }

            throw new ArgumentException($"Passed {nameof(CertificateConfig)} doesn't define a certificate in any known format.");
        }
        public DHServerKeyExchange(
            CertificateManager certificateManager,
            MasterSecretCalculator masterSecretCalculator,

            CertificateConfig certificateConfig)
        {
            _certificateManager     = certificateManager;
            _masterSecretCalculator = masterSecretCalculator;

            _certificateConfig = certificateConfig;
        }
Beispiel #6
0
        public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
        {
            if (certInfo is null)
            {
                return(null);
            }

            if (certInfo.IsFileCert && certInfo.IsStoreCert)
            {
                throw new InvalidOperationException(CoreStrings.FormatMultipleCertificateSources(endpointName));
            }
            else if (certInfo.IsFileCert)
            {
                var certificatePath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path);
                if (certInfo.KeyPath != null)
                {
                    var certificateKeyPath = Path.Combine(HostEnvironment.ContentRootPath, certInfo.KeyPath);
                    var certificate        = GetCertificate(certificatePath);

                    if (certificate != null)
                    {
                        certificate = LoadCertificateKey(certificate, certificateKeyPath, certInfo.Password);
                    }
                    else
                    {
                        Logger.FailedToLoadCertificate(certificateKeyPath);
                    }

                    if (certificate != null)
                    {
                        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                        {
                            return(PersistKey(certificate));
                        }

                        return(certificate);
                    }
                    else
                    {
                        Logger.FailedToLoadCertificateKey(certificateKeyPath);
                    }

                    throw new InvalidOperationException(CoreStrings.InvalidPemKey);
                }

                return(new X509Certificate2(Path.Combine(HostEnvironment.ContentRootPath, certInfo.Path), certInfo.Password));
            }
            else if (certInfo.IsStoreCert)
            {
                return(LoadFromStoreCert(certInfo));
            }

            return(null);
        }
Beispiel #7
0
            public X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
            {
                if (certInfo is null)
                {
                    return(null);
                }

                var cert = TestResources.GetTestCertificate();

                CertToPathDictionary.Add(cert, certInfo.Path);
                return(cert);
            }
        private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
        {
            var logger = Options.ApplicationServices.GetRequiredService <ILogger <KestrelConfigurationLoader> >();

            if (certInfo.IsFileCert && certInfo.IsStoreCert)
            {
                throw new InvalidOperationException(CoreStrings.FormatMultipleCertificateSources(endpointName));
            }
            else if (certInfo.IsFileCert)
            {
                var environment     = Options.ApplicationServices.GetRequiredService <IHostEnvironment>();
                var certificatePath = Path.Combine(environment.ContentRootPath, certInfo.Path);
                if (certInfo.KeyPath != null)
                {
                    var certificateKeyPath = Path.Combine(environment.ContentRootPath, certInfo.KeyPath);
                    var certificate        = GetCertificate(certificatePath);

                    if (certificate != null)
                    {
                        certificate = LoadCertificateKey(certificate, certificateKeyPath, certInfo.Password);
                    }
                    else
                    {
                        logger.FailedToLoadCertificate(certificateKeyPath);
                    }

                    if (certificate != null)
                    {
                        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                        {
                            return(PersistKey(certificate));
                        }

                        return(certificate);
                    }
                    else
                    {
                        logger.FailedToLoadCertificateKey(certificateKeyPath);
                    }

                    throw new InvalidOperationException(CoreStrings.InvalidPemKey);
                }

                return(new X509Certificate2(Path.Combine(environment.ContentRootPath, certInfo.Path), certInfo.Password));
            }
            else if (certInfo.IsStoreCert)
            {
                return(LoadFromStoreCert(certInfo));
            }
            return(null);
Beispiel #9
0
        protected ECDHKeyExchangeBase(
            MasterSecretCalculator masterSecretCalculator,
            CipherSuitesRegistry cipherSuitesRegistry,


            ECDHExchangeConfig ecdhExchangeConfig,
            CertificateConfig certificateConfig)
        {
            MasterSecretCalculator = masterSecretCalculator;
            CipherSuitesRegistry   = cipherSuitesRegistry;

            ECDHExchangeConfig = ecdhExchangeConfig;
            CertificateConfig  = certificateConfig;
        }
Beispiel #10
0
        public RSAKeyExchange(
            IRandom random,
            CertificateManager certificateManager,
            MasterSecretCalculator masterSecretCalculator,

            VersionConfig versionConfig,
            CertificateConfig certificateConfig)
        {
            _random                 = random;
            _certificateManager     = certificateManager;
            _masterSecretCalculator = masterSecretCalculator;

            _versionConfig     = versionConfig;
            _certificateConfig = certificateConfig;
        }
    private static X509Certificate2 LoadFromStoreCert(CertificateConfig certInfo)
    {
        var subject       = certInfo.Subject !;
        var storeName     = string.IsNullOrEmpty(certInfo.Store) ? StoreName.My.ToString() : certInfo.Store;
        var location      = certInfo.Location;
        var storeLocation = StoreLocation.CurrentUser;

        if (!string.IsNullOrEmpty(location))
        {
            storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), location, ignoreCase: true);
        }
        var allowInvalid = certInfo.AllowInvalid ?? false;

        return(CertificateLoader.LoadFromStoreCert(subject, storeName, storeLocation, allowInvalid));
    }
        private HandleCertificateState(
            IServiceProvider serviceProvider,

            EndConfig endConfig,
            CertificateConfig certificateConfig,

            CertificateMessage handshake)
        {
            _serviceProvider = serviceProvider;

            _endConfig         = endConfig;
            _certificateConfig = certificateConfig;

            _handshake = handshake;
        }
Beispiel #13
0
        public void Setup()
        {
            //SecureTestServer.config


            ICertificateConfig certificate = new CertificateConfig()
            {
                FilePath = @"c:\Projects\EYDAP\Code\SuperSocket-1.6\supersocket.pfx",
                Password = "******",
                ClientCertificateRequired = false,
            };


            m_Config = new ServerConfig
            {
                Port = 555,
                Ip   = "Any",
                MaxConnectionNumber = 10000,
                Mode             = SocketMode.Tcp,
                Name             = "NLogDevices",
                MaxRequestLength = 50000,

                //Certificate=certificate,
                //Security="tls"
            };
            m_ConfigNLogClient = new ServerConfig
            {
                Port = 8200,
                Ip   = "Any",
                MaxConnectionNumber = 10,
                Mode             = SocketMode.Tcp,
                Name             = "NLogClient",
                MaxRequestLength = 50000
                                   //Certificate=certificate,
                                   //Security="tls"
            };


            NLogDevicesServer = new MyNLogDevicesAppServer(NLogClientServer);
            NLogDevicesServer.Setup(new RootConfig(), m_Config, logFactory: new ConsoleLogFactory());

            NLogClientServer = new myNLogClientAppServer(NLogDevicesServer);
            NLogClientServer.Setup(new RootConfig(), m_ConfigNLogClient, logFactory: new ConsoleLogFactory());
            NLogDevicesServer.ClientAppServer = NLogClientServer;
            Global.serversDic.TryAdd(NLogDevicesServer.Name, NLogDevicesServer);
            Global.serversDic.TryAdd(NLogClientServer.Name, NLogDevicesServer);
        }
Beispiel #14
0
 private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
 {
     if (certInfo.IsFileCert && certInfo.IsStoreCert)
     {
         throw new InvalidOperationException(string.Format(CultureInfo.CurrentCulture, "The endpoint {0} specified multiple certificate sources.", endpointName));
     }
     else if (certInfo.IsFileCert)
     {
         var env = Options.ApplicationServices.GetRequiredService <IHostingEnvironment>();
         return(new X509Certificate2(Path.Combine(env.ContentRootPath, certInfo.Path), certInfo.Password));
     }
     else if (certInfo.IsStoreCert)
     {
         return(LoadFromStoreCert(certInfo));
     }
     return(null);
 }
        public (X509Certificate2, X509Certificate2Collection) LoadCertificate(CertificateConfig certInfo, string endpointName)
        {
            if (certInfo is null)
            {
                return(null, null);
            }

            var cert = TestResources.GetTestCertificate();

            CertToPathDictionary.Add(cert, certInfo.Path);

            var fullChain = TestResources.GetTestChain();

            CertToFullChain[cert] = fullChain;

            return(cert, fullChain);
        }
 private X509Certificate2 LoadCertificate(CertificateConfig certInfo, string endpointName)
 {
     if (certInfo.IsFileCert && certInfo.IsStoreCert)
     {
         throw new InvalidOperationException(CoreStrings.FormatMultipleCertificateSources(endpointName));
     }
     else if (certInfo.IsFileCert)
     {
         var env = Options.ApplicationServices.GetRequiredService <IHostEnvironment>();
         return(new X509Certificate2(Path.Combine(env.ContentRootPath, certInfo.Path), certInfo.Password));
     }
     else if (certInfo.IsStoreCert)
     {
         return(LoadFromStoreCert(certInfo));
     }
     return(null);
 }
Beispiel #17
0
        static async Task Main(string[] args)
        {
            var config = new ConfigurationBuilder()
                         .SetBasePath(Directory.GetCurrentDirectory())
                         .AddJsonFile("appsettings.json", optional: false)
                         .Build();

            HttpClientConfig clientConfig = new HttpClientConfig();

            config.GetSection("HttpClientConfig").Bind(clientConfig);

            CertificateConfig certificateConfig = new CertificateConfig();

            config.GetSection("CertificateConfig").Bind(certificateConfig);

            MaskinportenConfig maskinportenConfig = new MaskinportenConfig();

            config.GetSection("MaskinportenConfig").Bind(maskinportenConfig);

            var host = new HostBuilder()
                       .ConfigureServices((hostContext, services) =>
            {
                services.Configure <RequestConfig>(config.GetSection("RequestConfig"));
                services.Configure <AccreditationConfig>(config.GetSection("Accreditation"));
                services.Configure <MaskinportenConfig>(config.GetSection("MaskinportenConfig"));
                services.Configure <CertificateConfig>(config.GetSection("CertificateConfig"));

                services.AddTransient <RequestService>();
                services.AddTransient <AccreditationService>();
                services.AddTransient <MaskinportenService>();

                services.AddHttpClient("", c =>
                {
                    c.BaseAddress = new Uri(clientConfig.BaseAddress);
                    c.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", clientConfig.SubscriptionKey);
                });
            }).Build();

            RequestService requestHandler = host.Services.GetRequiredService <RequestService>();

            Console.WriteLine(await requestHandler.Demo());

            await host.RunAsync();
        }
Beispiel #18
0
        public static void CreateCertificateAuthority(CertificateConfig config)
        {
            Cryptography.Init();
            /* Create the CA KeyStore DB*/
            var caKeyStore = Cryptography.KeysetOpen(Cryptography.UNUSED, Cryptography.KEYSET_ODBC_STORE, config.CaCertificateStore,
                                                     Cryptography.KEYOPT_CREATE);

            /* Create the Root CA Private Key */
            var caRootCertContext = Cryptography.CreateContext(Cryptography.UNUSED, Cryptography.ALGO_RSA);

            Cryptography.SetAttributeString(caRootCertContext, Cryptography.CTXINFO_LABEL, "CaPrivateKey");
            Cryptography.GenerateKey(caRootCertContext);

            /* Create the CA certificate and add the public key */
            var caCert = Cryptography.CreateCert(Cryptography.UNUSED, Cryptography.CERTTYPE_CERTIFICATE);

            Cryptography.SetAttribute(caCert, Cryptography.CERTINFO_SUBJECTPUBLICKEYINFO, caRootCertContext);
            Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_COUNTRYNAME, config.Country);
            Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_ORGANIZATIONNAME, config.Organization);
            Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_ORGANIZATIONALUNITNAME, config.OrganizationalUnit);
            Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_COMMONNAME, config.CommonName);

            /* Self Sign the Cert */
            Cryptography.SetAttribute(caCert, Cryptography.CERTINFO_SELFSIGNED, 1);
            Cryptography.SetAttribute(caCert, Cryptography.CERTINFO_CA, 1);

            //Cryptography.SetAttribute(caCert, Cryptography.CERTINFO_AUTHORITYINFO_CERTSTORE, Cryptography.UNUSED);
            //Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_UNIFORMRESOURCEIDENTIFIER, "http://localhost/ca/certstore");
            //Cryptography.SetAttribute(caCert, Cryptography.CERTINFO_AUTHORITYINFO_RTCS, Cryptography.UNUSED);
            //Cryptography.SetAttributeString(caCert, Cryptography.CERTINFO_UNIFORMRESOURCEIDENTIFIER, "http://localhost/ca/rtcs");

            Cryptography.SignCert(caCert, caRootCertContext);

            var cryptKeyset = Cryptography.KeysetOpen(Cryptography.UNUSED, Cryptography.KEYSET_FILE, config.CaKeyStoreName, Cryptography.KEYOPT_CREATE);

            Cryptography.AddPrivateKey(cryptKeyset, caRootCertContext, config.CaPrivateKeyPassword.ToString());
            Cryptography.AddPublicKey(cryptKeyset, caCert);
            Cryptography.KeysetClose(cryptKeyset);
            Cryptography.KeysetClose(caKeyStore);
            Cryptography.DestroyContext(caRootCertContext);
            Cryptography.DestroyCert(caCert);

            Cryptography.End();
        }
Beispiel #19
0
        public DHEServerKeyExchange(
            IServiceProvider serviceProvider,

            IRandom random,
            MasterSecretCalculator masterSecretCalculator,

            DHParameterConfig dhParameterConfig,
            DHExchangeConfig dhExchangeConfig,
            CertificateConfig certificateConfig)
        {
            _serviceProvider = serviceProvider;

            _random = random;
            _masterSecretCalculator = masterSecretCalculator;

            _dhParameterConfig = dhParameterConfig;
            _dhExchangeConfig  = dhExchangeConfig;
            _certificateConfig = certificateConfig;
        }
Beispiel #20
0
        public Server(Configuration configuration)
        {
            Configuration = configuration;
            bool useEncryption = configuration.Certificate != null;

            SocketServer.NewSessionConnected += new SessionHandler <WebSocketSession>(OnConnect);
            SocketServer.SessionClosed       += new SessionHandler <WebSocketSession, CloseReason>(OnDisconnect);
            SocketServer.NewMessageReceived  += new SessionHandler <WebSocketSession, string>(OnMessage);
            ServerConfig serverConfiguration = new ServerConfig();

            serverConfiguration.Ip   = configuration.Host;
            serverConfiguration.Port = configuration.Port;
            serverConfiguration.Mode = SocketMode.Tcp;
            if (configuration.Certificate != null)
            {
                CertificateConfig certificateConfiguration = new CertificateConfig();
                certificateConfiguration.FilePath = configuration.Certificate;
                serverConfiguration.Certificate   = certificateConfiguration;
            }
            SocketServer.Setup(serverConfiguration);
        }
Beispiel #21
0
        public ECDHKeyExchange(
            MasterSecretCalculator masterSecretCalculator,
            CertificateManager certificateManager,
            CipherSuitesRegistry cipherSuitesRegistry,
            NamedCurvesRegistry namedCurvesRegistry,

            ECDHExchangeConfig ecdhExchangeConfig,
            SupportedGroupsConfig supportedGroupsConfig,
            CertificateConfig certificateConfig)
            : base(
                masterSecretCalculator,
                cipherSuitesRegistry,

                ecdhExchangeConfig,
                certificateConfig)
        {
            _certificateManager  = certificateManager;
            _namedCurvesRegistry = namedCurvesRegistry;

            _supportedGroupsConfig = supportedGroupsConfig;
        }
        public MaskinportenService(IOptions <MaskinportenConfig> maskinportenConfig, IOptions <CertificateConfig> certificateConfig)
        {
            _maskinportenConfig = maskinportenConfig.Value;
            _certificateConfig  = certificateConfig.Value;

            switch (_maskinportenConfig.Environment.ToLower())
            {
            case "ver2":
                _tokenEndpoint = "https://ver2.maskinporten.no/token";
                _audience      = "https://ver2.maskinporten.no/";
                break;

            case "prod":
                _tokenEndpoint = "https://maskinporten.no/token";
                _audience      = "https://maskinporten.no/";
                break;

            default:
                throw new ArgumentException("Invalid Maskinporten environment specified, must be either 'ver2' or 'prod'");
            }

            _scopes = maskinportenConfig.Value.Scopes;
            _issuer = maskinportenConfig.Value.ClientId;

            // Thumbprint takes precendence if supplied
            if (!string.IsNullOrEmpty(_certificateConfig.Thumbprint))
            {
                _signingCertificate = GetCertificateFromKeyStore();
            }
            else
            {
                if (!File.Exists(_certificateConfig.Pkcs12FilePath))
                {
                    throw new ArgumentException("Unable to find PKCS#12 certificate at " + _certificateConfig.Pkcs12FilePath);
                }

                _signingCertificate = new X509Certificate2();
                _signingCertificate.Import(File.ReadAllBytes(_certificateConfig.Pkcs12FilePath), _certificateConfig.Pkcs12FileSecret, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
            }
        }
 private void LoadDefaultCert()
 {
     if (ConfigurationReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
     {
         var defaultCert = CertificateConfigLoader.LoadCertificate(defaultCertConfig, "Default");
         if (defaultCert != null)
         {
             DefaultCertificateConfig   = defaultCertConfig;
             Options.DefaultCertificate = defaultCert;
         }
     }
     else
     {
         var(certificate, certificateConfig) = FindDeveloperCertificateFile();
         if (certificate != null)
         {
             Logger.LocatedDevelopmentCertificate(certificate);
             DefaultCertificateConfig   = certificateConfig;
             Options.DefaultCertificate = certificate;
         }
     }
 }
Beispiel #24
0
 private void LoadDefaultCert(ConfigurationReader configReader)
 {
     if (configReader.Certificates.TryGetValue("Default", out var defaultCertConfig))
     {
         var defaultCert = LoadCertificate(defaultCertConfig, "Default");
         if (defaultCert != null)
         {
             DefaultCertificateConfig   = defaultCertConfig;
             Options.DefaultCertificate = defaultCert;
         }
     }
     else
     {
         var logger = Options.ApplicationServices.GetRequiredService <ILogger <KestrelServer> >();
         var(certificate, certificateConfig) = FindDeveloperCertificateFile(configReader, logger);
         if (certificate != null)
         {
             logger.LocatedDevelopmentCertificate(certificate);
             DefaultCertificateConfig   = certificateConfig;
             Options.DefaultCertificate = certificate;
         }
     }
 }
Beispiel #25
0
        public HandleClientHelloState(
            IServiceProvider serviceProvider,

            INegotiatior negotiatior,
            IRandom random,

            VersionConfig versionConfig,
            CipherSuiteConfig cipherSuiteConfig,
            CertificateConfig certificateConfig,
            RandomConfig randomConfig,
            SessionConfig sessionConfig,

            ClientHelloMessage handshake)
        {
            _serviceProvider   = serviceProvider;
            _negotiatior       = negotiatior;
            _random            = random;
            _versionConfig     = versionConfig;
            _cipherSuiteConfig = cipherSuiteConfig;
            _certificateConfig = certificateConfig;
            _randomConfig      = randomConfig;
            _sessionConfig     = sessionConfig;
            _handshake         = handshake;
        }
Beispiel #26
0
        // Adds endpoints from config to KestrelServerOptions.ConfigurationBackedListenOptions and configures some other options.
        // Any endpoints that were removed from the last time endpoints were loaded are returned.
        internal (List <ListenOptions>, List <ListenOptions>) Reload()
        {
            var endpointsToStop  = Options.ConfigurationBackedListenOptions.ToList();
            var endpointsToStart = new List <ListenOptions>();

            Options.ConfigurationBackedListenOptions.Clear();
            DefaultCertificateConfig = null;

            ConfigurationReader = new ConfigurationReader(Configuration);

            Options.Latin1RequestHeaders = ConfigurationReader.Latin1RequestHeaders;

            LoadDefaultCert(ConfigurationReader);

            foreach (var endpoint in ConfigurationReader.Endpoints)
            {
                var listenOptions = AddressBinder.ParseAddress(endpoint.Url, out var https);

                Options.ApplyEndpointDefaults(listenOptions);

                if (endpoint.Protocols.HasValue)
                {
                    listenOptions.Protocols = endpoint.Protocols.Value;
                }
                else
                {
                    // Ensure endpoint is reloaded if it used the default protocol and the protocol changed.
                    // listenOptions.Protocols should already be set to this by ApplyEndpointDefaults.
                    endpoint.Protocols = ConfigurationReader.EndpointDefaults.Protocols;
                }

                // Compare to UseHttps(httpsOptions => { })
                var httpsOptions = new HttpsConnectionAdapterOptions();
                if (https)
                {
                    // Defaults
                    Options.ApplyHttpsDefaults(httpsOptions);

                    // Specified
                    httpsOptions.ServerCertificate = LoadCertificate(endpoint.Certificate, endpoint.Name)
                                                     ?? httpsOptions.ServerCertificate;

                    if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                    {
                        // Fallback
                        Options.ApplyDefaultCert(httpsOptions);

                        // Ensure endpoint is reloaded if it used the default certificate and the certificate changed.
                        endpoint.Certificate = DefaultCertificateConfig;
                    }
                }

                // Now that defaults have been loaded, we can compare to the currently bound endpoints to see if the config changed.
                // There's no reason to rerun an EndpointConfigurations callback if nothing changed.
                var matchingBoundEndpoints = endpointsToStop.Where(o => o.EndpointConfig == endpoint).ToList();

                if (matchingBoundEndpoints.Count > 0)
                {
                    endpointsToStop.RemoveAll(o => o.EndpointConfig == endpoint);
                    Options.ConfigurationBackedListenOptions.AddRange(matchingBoundEndpoints);
                    continue;
                }

                if (EndpointConfigurations.TryGetValue(endpoint.Name, out var configureEndpoint))
                {
                    var endpointConfig = new EndpointConfiguration(https, listenOptions, httpsOptions, endpoint.ConfigSection);
                    configureEndpoint(endpointConfig);
                }

                // EndpointDefaults or configureEndpoint may have added an https adapter.
                if (https && !listenOptions.IsTls)
                {
                    if (httpsOptions.ServerCertificate == null && httpsOptions.ServerCertificateSelector == null)
                    {
                        throw new InvalidOperationException(CoreStrings.NoCertSpecifiedNoDevelopmentCertificateFound);
                    }

                    listenOptions.UseHttps(httpsOptions);
                }

                listenOptions.EndpointConfig = endpoint;

                endpointsToStart.Add(listenOptions);
                Options.ConfigurationBackedListenOptions.Add(listenOptions);
            }

            return(endpointsToStop, endpointsToStart);
        }