Support for SSL

Question

Support for SSL

doggy8088 opened this issue 6 years ago · comments

Will 保哥 commented 6 years ago

Are you going to support SSL with custom certificate & private key?

Nate McMaster · Answer 1 · Fri Apr 13 2018 01:09:36 GMT+0800 (China Standard Time)

Wasn't planning on it, but it wouldn't be hard to add. Why do you ask?

Will 保哥 · Answer 2 · Fri Apr 13 2018 03:11:34 GMT+0800 (China Standard Time)

It because I have my own Test Root CA in my dev box and it's been installed into my Trusted Root CA. I normally genereate my testing certificate for local development usage. Some of the HTML5 features need valid certificate to do the testing.

Nate McMaster · Answer 3 · Fri Apr 13 2018 03:27:47 GMT+0800 (China Standard Time)

Ok. This seams reasonable. What format is your cert stored in? On disk in a .pfx, .pem, or .cer file? In the Windows cert store? Something else?

Will 保哥 · Answer 4 · Fri Apr 13 2018 03:30:41 GMT+0800 (China Standard Time)

I run node.js for local server most of time. It usually accept .cer for certificate, .key for private key. All in PEM format. For cross platfom consideration, I think .pem/.cer is much better than .pfx or Windows cert store.

Nate McMaster · Answer 5 · Thu May 03 2018 14:17:57 GMT+0800 (China Standard Time)

Ok, I looked into this more. I think the big challenge here is providing a sensible default for configuring TLS. There are a handful of cert formats and storage mechanisms. I'm not totally sure what users will expect, but here is what I'm thinking.

Find a cert for me (ideal usage)

dotnet serve -S

When specifying -S|--tls, dotnet-serve will try to find an appropriate certificate using the following heuristic.

Config file: If a dotnet-serve config file exists and has certificate config, use those settings.
PKCS#1: If a file name "cert.{cer,crt,pem}" exists in the current directory and a file named "private.{key,pem}" exists, load those. ¹
PKCS#12: If a file name "cert.{pfx,p12}" exists in the current directory, load that (no password)
Cert store: If the host == 'localhost' and the ASP.NET Core developer cert exists (a cert with extension 1.3.6.1.4.1.311.84.1.1), use that

Specify a cert in config

TBD See #10

Specify a cert/key in a PKCS#1 files

dotnet serve --cert mycert.pem --key mykey.pem

¹Unfortunately, .NET Core still has pretty limited API for loading private keys from PEM encoded PKCS#1 files. They may add it in the future: https://github.com/dotnet/corefx/issues/20414. I'll have to hunt for a way to read private keys. I think there are some open source APIs.

Specify a cert in a PKCS#12 file

No password

dotnet serve --cert mycert.pfx

With password

dotnet serve --cert mycert.pfx --cert-pwd <password>

Specify a cert from the store

dotnet serve --cert-thumbprint BABD9E4752AE8C159967C18814357D61A40BEE85 --cert-store <CurrentUser|LocalMachine>

Not supported

For now, no plans to support loading a cert from PKCS#8, or cert chains from PKCS#7 files (.p7b)

Will 保哥 · Answer 6 · Thu May 03 2018 18:23:23 GMT+0800 (China Standard Time)

The Find a cert for me is good. No config is a trend.

For the Specify a cert/key in a PKCS#1 files, I think it can add a --pwd PASSWORD or --key-pwd PASSWORD to specify the private key's password because the private key could be in a encrypted format.

For the Specify a cert in a PKCS#12 file, I think use --pfx mycert.pfx might be more readable because PFX contains both key and certificates.

Are you plan to support all the above usage? Or choose one?

Nate McMaster · Answer 7 · Fri May 04 2018 13:39:37 GMT+0800 (China Standard Time)

For the Specify a cert/key in a PKCS#1 files, I think it can add a --pwd PASSWORD or --key-pwd PASSWORD to specify the private key's password

If I recall correctly, a PEM encoded key with a passphrase is actually the PKCS#8 format. .NET Core doesn't have native API for reading this. We might have to look for a third-party to parse these, or wait until https://github.com/dotnet/corefx/issues/20414

Are you plan to support all the above usage? Or choose one?

I'm thinking let's start with pfx and the developer cert. These two are built-in to .NET Core. Separate PEM files for the cert/key and PKCS#8 are not supported by .NET Core. Those can come later if demand warrants it and we find a suitable way to implement reading those formats.

Nate McMaster · Answer 8 · Fri May 04 2018 14:29:45 GMT+0800 (China Standard Time)

FYI I started work here ce31cc0. It definitely needs more work, like tests, good error messages, docs, and middleware that filters the raw certificate/key files from being served.

Nate McMaster · Answer 9 · Fri May 11 2018 07:50:15 GMT+0800 (China Standard Time)

Ok, I tried to make .PEM cert parsing work. I got it almost all the way done but ran into https://github.com/dotnet/corefx/issues/24454. It appears PKCS#12 is really the only way to use file-based certificates in .NET Core, even with 3rd party APIs like BouncyCastle.

Closing this as done in 0.4.0, which I will publish soon.

Nate McMaster · Answer 10 · Fri May 11 2018 13:23:21 GMT+0800 (China Standard Time)

Was able to workaround https://github.com/dotnet/corefx/issues/24454. I've added support for loading PEM encoded cert/key files, in addition to pfx files.