public static KestrelServerOptions ConfigureSimulatorCertificate(this KestrelServerOptions options)
{
var configuration = options.ApplicationServices.GetService <IConfiguration>();
var certificateFile = configuration["Kestrel:Certificates:Default:Path"];
var certificateFileSpecified = !string.IsNullOrWhiteSpace(certificateFile);
var certificatePassword = configuration["Kestrel:Certificates:Default:Password"];
var certificatePasswordSpecified = !string.IsNullOrWhiteSpace(certificatePassword);
X509Certificate2 certificate = null;
switch (certificateFileSpecified)
{
case true when certificatePasswordSpecified:
// The certificate file and password was specified.
certificate = new X509Certificate2(certificateFile, certificatePassword);
break;
case true when !certificatePasswordSpecified:
// The certificate file was specified but the password wasn't.
throw new InvalidOperationException("A certificate with a password is required.");
}
options.ConfigureHttpsDefaults(httpsOptions => { httpsOptions.ServerCertificate = certificate; });
return(options);
}
public void Handle(KestrelServerOptions k)
{
var appServices = k.ApplicationServices;
k.ConfigureHttpsDefaults(h =>
{
h.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
h.UseLettuceEncrypt(appServices);
});
}
private static void ConfigureKerstrel(KestrelServerOptions options)
{
options.Limits.MaxRequestBodySize = null;
if (Settings.Current.GameRuntimeUseHttps)
{
options.ConfigureHttpsDefaults(httpsOptions =>
{
httpsOptions.ServerCertificateSelector = ServerCertificateSelector;
});
}
}
private void SetupHttps(string prefix, KestrelServerOptions options)
{
if (prefix.StartsWith("https"))
{
if (_serverSettings.SslCertificate == null)
{
throw new InvalidOperationException(
"Can't use https scheme without server-side SSL certificate specified in server settings.");
}
options.ConfigureHttpsDefaults(adapterOptions =>
adapterOptions.ServerCertificate = _serverSettings.SslCertificate);
}
}
public static void ConfigureMutualTLS(
this KestrelServerOptions options,
Action <HttpsConnectionAdapterOptions> configureHttpsDefaults = null)
{
options.ConfigureHttpsDefaults(connectionOptions =>
{
connectionOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
// Without a custom validator only client certificates signed/issued by (?)
// are allowed. Interested in how this is done.
var validator = options.ApplicationServices.GetService <IClientCertificateValidator>();
if (validator != null)
{
connectionOptions.ClientCertificateValidation = validator.Validate;
}
configureHttpsDefaults?.Invoke(connectionOptions);
});
}
protected WebService()
{
Service = this;
Directory = "/";
Pathing = "/";
// create the embedded server instance
var opts = new KestrelServerOptions
{
ApplicationServices = this
};
if (Certificate != null)
{
opts.ConfigureHttpsDefaults(https => https.ServerCertificate = Certificate);
Inf("cert is set");
}
server = new KestrelServer(Options.Create(opts), TransportFactory, Logger);
}
public HttpsConnectionMiddleware(RavenServer server, KestrelServerOptions options)
{
_server = server;
CipherSuitesPolicy = server.Configuration.Security.TlsCipherSuites != null && server.Configuration.Security.TlsCipherSuites.Length > 0
? new CipherSuitesPolicy(server.Configuration.Security.TlsCipherSuites)
: null;
options.ConfigureHttpsDefaults(o =>
{
o.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12;
o.CheckCertificateRevocation = false;
o.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
o.ClientCertificateValidation = (certificate, chain, sslPolicyErrors) =>
{
if (certificate == null)
{
return(true); // we handle the error from not having certificate higher in the stack
}
var certificate2 = ConvertToX509Certificate2(certificate);
if (certificate2 == null)
{
return(false); // we require to be able to convert it in all cases
}
// Here we are explicitly ignoring trust chain issues for client certificates
// this is because we don't actually require trust, we just use the certificate
// as a way to authenticate. The admin is going to tell us which specific certs
// we can trust anyway, so we can ignore such errors.
return(sslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors ||
sslPolicyErrors == SslPolicyErrors.None);
};
o.ServerCertificateSelector = (_, __) => _serverCertificate;
if (CipherSuitesPolicy != null)
{
o.OnAuthenticate = (_, sslServerAuthenticationOptions) => sslServerAuthenticationOptions.CipherSuitesPolicy = CipherSuitesPolicy;
}
});
}