Skip to content

backport(net8.0): http.sys on-demand TLS client hello retrieval #62290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 11, 2025
Merged

backport(net8.0): http.sys on-demand TLS client hello retrieval #62290

merged 5 commits into from
Jun 11, 2025

Conversation

DeagleGross
Copy link
Member

@DeagleGross DeagleGross commented Jun 9, 2025
edited
Loading

Http.Sys on-demand tls client hello bytes fetch to net8.

Description

Backporting #62209 to release/net8.0.
Changes API to have a byte[] input parameter, because Span<byte> is not really compatible with reflection. So it becomes bool TryGetTlsClientHello(byte[] tlsClientHelloBytesDestination, out int bytesReturned);

Usage example is in the sample app and commented to be a recommended approach (compared to callback API; as on-demand API will be an only API existing in net10):

var httpSysAssembly = typeof(Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions).Assembly;
var httpSysPropertyFeatureType = httpSysAssembly.GetType("Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestPropertyFeature");
var httpSysPropertyFeature = context.Features[httpSysPropertyFeatureType]!;

var method = httpSysPropertyFeature.GetType().GetMethod(
   "TryGetTlsClientHello",
   BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic
);

// invoke first time to get required size
byte[] bytes = Array.Empty<byte>();
var parameters = new object[] { bytes, 0 };
var res = (bool)method.Invoke(httpSysPropertyFeature, parameters);

// fetching out parameter only works by looking into parameters array of objects
var bytesReturned = (int)parameters[1];
bytes = ArrayPool<byte>.Shared.Rent(bytesReturned);
parameters = [bytes, 0]; // correct input now
res = (bool)method.Invoke(httpSysPropertyFeature, parameters);

// this is the span representing the TLS Client Hello bytes only
var tlsClientHelloBytes = ((byte[])parameters[0]).AsSpan(0, bytesReturned);
await context.Response.WriteAsync($"TlsBytes: {string.Join(" ", tlsClientHelloBytes.Slice(0, 10).ToArray())}; full length = {bytesReturned}");

ArrayPool<byte>.Shared.Return(bytes);

Fixes #61625

Customer Impact

Allows customers to inspect the TLS Client Hello message on-demand instead of following the callback API.
Existing #61494 callback API showed issues with race-conditions (processing callback at the same time as serving other requests).

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Fully opt-in feature so won't affect existing code. Also, if it is turned on, there are a few app context knobs to tweak behavior in case something goes wrong.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@dotnet-policy-service dotnet-policy-service bot added this to the 8.0.x milestone Jun 9, 2025
@DeagleGross DeagleGross changed the title backport(net8.0): http.sys on-demand TLS client hello retrieval [WIP] backport(net8.0): http.sys on-demand TLS client hello retrieval Jun 9, 2025
@DeagleGross DeagleGross changed the title [WIP] backport(net8.0): http.sys on-demand TLS client hello retrieval backport(net8.0): http.sys on-demand TLS client hello retrieval Jun 10, 2025
@joperezr joperezr merged commit 9e8ebbf into dotnet:release/8.0 Jun 11, 2025
23 of 25 checks passed
@DeagleGross DeagleGross deleted the dmkorolev/releasenet8/httpsys-ondemand-backport branch June 11, 2025 19:03
@dotnet-policy-service dotnet-policy-service bot modified the milestones: 8.0.x, 8.0.18 Jun 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@joperezr joperezr joperezr approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

@mgravell mgravell Awaiting requested review from mgravell mgravell is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
8.0.18
Development

Successfully merging this pull request may close these issues.
3 participants
@DeagleGross @BrennanConroy @joperezr