Asynchronous SNI API for SslStream #27350
Labels
api-suggestion
Early API idea and discussion, it is NOT ready for implementation
area-System.Net.Security
Milestone
Rationale
With the new SNI extension support in
SslStream
(#24553, dotnet/corefx#28278), web servers can support TLS for multiple hostnames from a single endpoint. However, in a multi-tenant environment, the certificate for a supported hostname may not always be available synchronously. For example, there may be a number of stateless front-end servers that must fetch certificates from a persistent backend, where the total set of supported hostnames and their certificates is either too large to fit in memory or not known a priori. For this reason, the existingServerCertificateSelectionCallback
API is problematic, as it requires servers to block threads while retrieving the certificate.The server-side SNI API in
SslStream
should support async realization of the server certificate used for a connection.Ideally, this would then be supported upstream in servers like Kestrel.
Proposed API Shape
Add
AsyncServerCertificateSelectionCallback
toSslServerAuthenticationOptions
, alongside the existingServerCertificateSelectionCallback
:Additional API Information:
LocalCertificateSelectionCallback
.Task
as it is expected to always be truly asynchronous. However,ValueTask
enables pooling for performance-sensitive applications.null
causes the handshake to fail).The text was updated successfully, but these errors were encountered: