private void UpdateBinding(TSite site, TBinding existingBinding, BindingOptions options)
{
// Check flags
options = options.WithFlags(CheckFlags(false, existingBinding.Host, options.Flags));
var currentFlags = existingBinding.SSLFlags;
if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status
((options.Store == null && existingBinding.CertificateStoreName == null) ||
StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) &&
string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase)))
{
_log.Verbose("No binding update needed");
}
else
{
// If current binding has SNI, the updated version
// will also have that flag set, regardless
// of whether or not it was requested by the caller.
// Callers should not generally request SNI unless
// required for the binding, e.g. for TLS-SNI validation.
// Otherwise let the admin be in control.
if (currentFlags.HasFlag(SSLFlags.SNI))
{
options = options.WithFlags(options.Flags | SSLFlags.SNI);
}
_log.Information(LogType.All, "Updating existing https binding {host}:{port}",
existingBinding.Host,
existingBinding.Port);
_client.UpdateBinding(site, existingBinding, options);
}
}
private bool UpdateBinding(TSite site, TBinding existingBinding, BindingOptions options)
{
// Check flags
options = options.WithFlags(CheckFlags(false, existingBinding.Host, options.Flags));
var currentFlags = existingBinding.SSLFlags;
if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status
((options.Store == null && existingBinding.CertificateStoreName == null) ||
(StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) &&
string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase))))
{
_log.Verbose("No binding update needed");
return(false);
}
else
{
// If current binding has SNI, the updated version
// will also have that flag set, regardless
// of whether or not it was requested by the caller.
// Callers should not generally request SNI unless
// required for the binding, e.g. for TLS-SNI validation.
// Otherwise let the admin be in control.
// Update 25-12-2019: preserve all existing SSL flags
// instead of just SNI, to accomdate the new set of flags
// introduced in recent versions of Windows Server.
var preserveFlags = existingBinding.SSLFlags & ~SSLFlags.CentralSsl;
if (options.Flags.HasFlag(SSLFlags.CentralSsl))
{
preserveFlags &= ~SSLFlags.NotWithCentralSsl;
}
options = options.WithFlags(options.Flags | preserveFlags);
_log.Information(LogType.All, "Updating existing https binding {host}:{port}{ip} (flags: {flags})",
existingBinding.Host,
existingBinding.Port,
string.IsNullOrEmpty(existingBinding.IP) ? "" : $":{existingBinding.IP}",
(int)options.Flags);
_client.UpdateBinding(site, existingBinding, options);
return(true);
}
}
