You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: In the past we did not have API to trigger renegotiation so the AllowRenegotiation property really controlled behavior when renegotiation was requested by remote peer. HTTP/2 explicitly prohibits it so Kestrel would set it to false any time when HTTP/2 is possibility. However there is no way how to turn it back on when HTTP/1 is negotiated. That can break the late certificate per specific URL even if HTTP/1 is negotiated.
With this change, we would allow renegotiation if explicitly requested on server side using NegotiateClientCertificateAsync(). Note, that this is only during that particular call e.g. when NegotiateClientCertificateAsync is finished we would again respect the properly and block renegotiation requested by peer as we used to. That should make intro with HTTP/2 easier. Since SslStream does not really care about application protocols it is up to the caller to decide if this is appropriate e.g. if HTTP/2 is used or not. (TLS RFC does not care)
Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.
Issue Details
Motivation: In the past we did not have API to trigger renegotiation so the AllowRenegotiation property really controlled behavior when renegotiation was requested by remote peer. HTTP/2 explicitly prohibits it so Kestrel would set it to false any time when HTTP/2 is possibility. However there is no way how to turn it back on when HTTP/1 is negotiated. That can break the late certificate per specific URL even if HTTP/1 is negotiated.
With this change, we would allow renegotiation if explicitly requested on server side using NegotiateClientCertificateAsync(). Note, that this is only during that particular call e.g. when NegotiateClientCertificateAsync is finished we would again respect the properly and block renegotiation requested by peer as we used to. That should make intro with HTTP/2 easier. Since SslStream does not really care about application protocols it is up to the caller to decide if this is appropriate e.g. if HTTP/2 is used or not. (TLS RFC does not care)
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ghost
locked as resolved and limited conversation to collaborators
Motivation: In the past we did not have API to trigger renegotiation so the
AllowRenegotiationproperty really controlled behavior when renegotiation was requested by remote peer. HTTP/2 explicitly prohibits it so Kestrel would set it tofalseany time when HTTP/2 is possibility. However there is no way how to turn it back on when HTTP/1 is negotiated. That can break the late certificate per specific URL even if HTTP/1 is negotiated.With this change, we would allow renegotiation if explicitly requested on server side using
NegotiateClientCertificateAsync(). Note, that this is only during that particular call e.g. whenNegotiateClientCertificateAsyncis finished we would again respect the properly and block renegotiation requested by peer as we used to. That should make intro with HTTP/2 easier. Since SslStream does not really care about application protocols it is up to the caller to decide if this is appropriate e.g. if HTTP/2 is used or not. (TLS RFC does not care)contributes to #49346
cc: @Tratcher