private void UpdateBinding(TSite site, TBinding existingBinding, BindingOptions options) { // Check flags options = options.WithFlags(CheckFlags(false, existingBinding.Host, options.Flags)); var currentFlags = existingBinding.SSLFlags; if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status ((options.Store == null && existingBinding.CertificateStoreName == null) || StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) && string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase))) { _log.Verbose("No binding update needed"); } else { // If current binding has SNI, the updated version // will also have that flag set, regardless // of whether or not it was requested by the caller. // Callers should not generally request SNI unless // required for the binding, e.g. for TLS-SNI validation. // Otherwise let the admin be in control. if (currentFlags.HasFlag(SSLFlags.SNI)) { options = options.WithFlags(options.Flags | SSLFlags.SNI); } _log.Information(LogType.All, "Updating existing https binding {host}:{port}", existingBinding.Host, existingBinding.Port); _client.UpdateBinding(site, existingBinding, options); } }
private bool UpdateBinding(TSite site, TBinding existingBinding, BindingOptions options) { // Check flags options = options.WithFlags(CheckFlags(false, existingBinding.Host, options.Flags)); var currentFlags = existingBinding.SSLFlags; if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status ((options.Store == null && existingBinding.CertificateStoreName == null) || (StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) && string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase)))) { _log.Verbose("No binding update needed"); return(false); } else { // If current binding has SNI, the updated version // will also have that flag set, regardless // of whether or not it was requested by the caller. // Callers should not generally request SNI unless // required for the binding, e.g. for TLS-SNI validation. // Otherwise let the admin be in control. // Update 25-12-2019: preserve all existing SSL flags // instead of just SNI, to accomdate the new set of flags // introduced in recent versions of Windows Server. var preserveFlags = existingBinding.SSLFlags & ~SSLFlags.CentralSsl; if (options.Flags.HasFlag(SSLFlags.CentralSsl)) { preserveFlags &= ~SSLFlags.NotWithCentralSsl; } options = options.WithFlags(options.Flags | preserveFlags); _log.Information(LogType.All, "Updating existing https binding {host}:{port}{ip} (flags: {flags})", existingBinding.Host, existingBinding.Port, string.IsNullOrEmpty(existingBinding.IP) ? "" : $":{existingBinding.IP}", (int)options.Flags); _client.UpdateBinding(site, existingBinding, options); return(true); } }