Add TLS middleware with sample #6035
Conversation
ReubenBond
force-pushed
the
feature/tls
branch
from
7190f94 to
4a24955
Compare
| /// <summary> | ||
| /// Settings for how TLS connections are handled. | ||
| /// </summary> | ||
| public class TlsConnectionAdapterOptions |
There was a problem hiding this comment.
Don't replicate the Adapter naming mistake we made 😄
There was a problem hiding this comment.
s/Https/Tls 😅
Perhaps TlsOptions is a nicer name for this, or TlsConnectionOptions
ReubenBond
force-pushed
the
feature/tls
branch
4 times, most recently
from
a3969d1 to
4ffeb45
Compare
ReubenBond
force-pushed
the
feature/tls
branch
from
4ffeb45 to
afb6f5c
Compare
|
@ReubenBond can you please let me know when there is a preview that includes this. I would like to use the TLS middleware for this: https://github.com/chkr1011/MQTTnet/tree/master/Source/MQTTnet.AspnetCore |
|
@JanEggers you can take the current commit if you like - that MQTT project doesn't reference Orleans & the important bits are internal so I don't think a build of this would be useful |
|
@ReubenBond thx for letting me know, I didnt look at the code in detail yet. I was hoping I could just use the extension method on IConnectionBuilder and be done. |
|
@JanEggers eventually yes, but those things are marked as internal in this PR because the user isn't supposed to interact with them. The intention it to upstream this to Bedrock eventually |
|
Is it possible to configure TLS using {
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://localhost:5000"
},
"HttpsInlineCertFile": {
"Url": "https://localhost:5001",
"Certificate": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
},
"HttpsInlineCertStore": {
"Url": "https://localhost:5002",
"Certificate": {
"Subject": "<subject; required>",
"Store": "<certificate store; required>",
"Location": "<location; defaults to CurrentUser>",
"AllowInvalid": "<true or false; defaults to false>"
}
},
"HttpsDefaultCert": {
"Url": "https://localhost:5003"
},
"Https": {
"Url": "https://*:5004",
"Certificate": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
}
},
"Certificates": {
"Default": {
"Path": "<path to .pfx file>",
"Password": "<certificate password>"
}
}
}
} |
|
The current implementation does not explicitly add support for that, but it doesn't stop you from using IConfiguration yourself. This could be a good area for contribution |
This PR adds support for securing client-to-silo and silo-to-silo connections using mutual-TLS.
Adds several
UseTlsmethods toISiloBuilder,IClientBuilder, andISiloHostBuilder.TLS can be configured on the silo like so:
By default, when the
UseTlsextension method is used, both sides of all connections are required to present a certificate.This adds a new package:
Microsoft.Orleans.Connections.Securitywhich targetsnetcoreapp3.0only and therefore .NET Core 3.0 is required to use this functionality.A sample application is included under Samples\3.0\TransportLayerSecurity.
There are some rough edges here which I would especially like feedback on. For example, a
TargetHostmust be set whenever a connection is made. I would like to know how users would expect to set this value. In the provided sample the value is set to a fixed value:I understand that this will not suffice for all cases. The
connectionparameter has aFeaturesproperty which allows the users to determine which endpoint is being connected to (among other things). This could be used to determine the correctTargetHostvalue.Fixes #828
xref dotnet/aspnetcore#12809