CODEWITHSUNDEEP
asp.net-coresnihttp.sys
arty
arty

Reputation: 11

Does HTTP.sys web server implementation in ASP.NET Core really support Server Name Indication (SNI)?

Server Name Indication is a nice feature and works well in Http.sys kernel mode driver and with IIS. But how to make it work with HTTP.sys web server implementation in ASP.NET Core? The documentation at https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?source=recommendations&view=aspnetcore-6.0 clearly states that HTTPS with SNI is supported but I don't know a way to do it. My problem: on a single server I have:

All sites and the application need to listen on 443 port and use a separate SSL certificate. Configuration for SNI in IIS is easily done with Require Server Name Indication option. Each site may have its own certificate and listen on a single 443 port thanks to SNI. But what about the application? I can bind it using UrlPrefixes property:

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseHttpSys(options =>
            {
                options.UrlPrefixes.Add("https://example.com:443");
            });
            webBuilder.UseStartup<Startup>();
        })

But I cannot specify a certificate here. I know a certificate can be specified with netsh.exe tool:

netsh http add sslcert ipport=<IP>:<PORT> certhash=<THUMBPRINT> appid="{<GUID>}"

But it overrides the certificate binding in IIS and the websites stop working via HTTPS. Only a single certificate can be specified for each IP/Port combination so I cannot specify multiple certificates here. But I need to have multiple certificates as SNI support implies. So the question in the title remains: Does HTTP.sys web server implementation in ASP.NET Core really support Server Name Indication (SNI)? How?

I tried to supply certificate with Kestrel configuration options but they obviously do not work as I use Http.sys:

                    webBuilder.ConfigureKestrel(serverOptions =>
                    {
                        serverOptions.ConfigureEndpointDefaults(listenOptions =>
                        {
                            listenOptions.UseHttps("c:\\mycert\\cert.pfx", "pwd");
                        });
                    });

Upvotes: 0

Views: 421

Answers (1)

lazyden
lazyden

Reputation: 456

There is other variant of netsh http add command, you should use it to bind your certificate to the domain.

netsh http add sslcert hostnameport=example.com:443 ...

Upvotes: 0

Related Questions