feat: fetch TLS client hello message from HTTP.SYS

AspNetCore.sln

@@ -1772,6 +1772,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Http.R
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.AspNetCore.Http.ValidationsGenerator", "src\Http\Http.Extensions\gen\Microsoft.AspNetCore.Http.ValidationsGenerator\Microsoft.AspNetCore.Http.ValidationsGenerator.csproj", "{7899F5DD-AA7C-4561-BAC4-E2EC78B7D157}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TlsFeaturesObserve", "src\Servers\HttpSys\samples\TlsFeaturesObserve\TlsFeaturesObserve.csproj", "{98C71EC8-1303-F55D-4032-E6728971770E}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -10983,6 +10985,22 @@ Global
 		{7899F5DD-AA7C-4561-BAC4-E2EC78B7D157}.Release|x64.Build.0 = Release|Any CPU
 		{7899F5DD-AA7C-4561-BAC4-E2EC78B7D157}.Release|x86.ActiveCfg = Release|Any CPU
 		{7899F5DD-AA7C-4561-BAC4-E2EC78B7D157}.Release|x86.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|arm64.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x64.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Debug|x86.Build.0 = Debug|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|arm64.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|arm64.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x64.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x64.Build.0 = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x86.ActiveCfg = Release|Any CPU
+		{98C71EC8-1303-F55D-4032-E6728971770E}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -11777,6 +11795,7 @@ Global
 		{01A75167-DF5A-AF38-8700-C3FBB2C2CFF5} = {225AEDCF-7162-4A86-AC74-06B84660B379}
 		{E6D564C0-4CA5-411C-BF40-9802AF7900CB} = {01A75167-DF5A-AF38-8700-C3FBB2C2CFF5}
 		{7899F5DD-AA7C-4561-BAC4-E2EC78B7D157} = {01A75167-DF5A-AF38-8700-C3FBB2C2CFF5}
+		{98C71EC8-1303-F55D-4032-E6728971770E} = {49016328-4D32-46E4-A4D2-94686ED38EA2}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3E8720B3-DBDD-498C-B383-2CC32A054E8F}

src/Servers/Connections.Abstractions/src/Features/ITlsAccessFeature.cs

@@ -0,0 +1,24 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Connections.Abstractions.TLS;
+
+namespace Microsoft.AspNetCore.Connections.Features;
+
+/// <summary>
+/// Allows to access underlying TLS data.
+/// </summary>
+public interface ITlsAccessFeature
+{
+    /// <summary>
+    /// Returns the raw bytes of TLS client hello message.
+    /// </summary>
+    byte[]? GetTlsClientHelloMessageBytes();
+}

src/Servers/Connections.Abstractions/src/TLS/TlsClientHello.cs

@@ -0,0 +1,25 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Security.Authentication;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Connections.Abstractions.TLS;
+
+public struct TLS_CLIENT_HELLO
+{
+    public SslProtocols ProtocolVersion;  // Version of the TLS protocol
+
+    public override string ToString()
+    {
+        return $"""
+        TLS CLIENT HELLO MESSAGE:
+        - ProtocolVersion: {ProtocolVersion}
+        """;
+    }
+}

src/Servers/HttpSys/HttpSysServer.slnf

@@ -38,6 +38,7 @@
       "src\\Servers\\HttpSys\\samples\\QueueSharing\\QueueSharing.csproj",
       "src\\Servers\\HttpSys\\samples\\SelfHostServer\\SelfHostServer.csproj",
       "src\\Servers\\HttpSys\\samples\\TestClient\\TestClient.csproj",
+      "src\\Servers\\HttpSys\\samples\\TlsFeaturesObserve\\TlsFeaturesObserve.csproj",
       "src\\Servers\\HttpSys\\src\\Microsoft.AspNetCore.Server.HttpSys.csproj",
       "src\\Servers\\HttpSys\\test\\FunctionalTests\\Microsoft.AspNetCore.Server.HttpSys.FunctionalTests.csproj",
       "src\\Servers\\HttpSys\\test\\NonHelixTests\\Microsoft.AspNetCore.Server.HttpSys.NonHelixTests.csproj",
@@ -54,4 +55,4 @@
       "src\\WebEncoders\\src\\Microsoft.Extensions.WebEncoders.csproj"
     ]
   }
-}
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/HttpSys/HttpSysConfigurator.cs

@@ -0,0 +1,120 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Net;
+using System.Net.Sockets;
+using System.Runtime.InteropServices;
+using System.Text;
+using Microsoft.AspNetCore.Http;
+
+namespace TlsFeaturesObserve.HttpSys;
+
+internal static class HttpSysConfigurator
+{
+    const uint HTTP_INITIALIZE_CONFIG = 0x00000002;
+    const uint ERROR_ALREADY_EXISTS = 183;
+
+    static readonly HTTPAPI_VERSION HttpApiVersion = new HTTPAPI_VERSION(1, 0);
+
+    internal static void ConfigureCacheTlsClientHello()
+    {
+        IPEndPoint ipPort = new IPEndPoint(new IPAddress([0, 0, 0, 0]), 6000);
+        string certThumbprint = "" /* your cert thumbprint here */;
+        Guid appId = Guid.NewGuid();
+        string sslCertStoreName = "My";
+
+        CallHttpApi(() => SetConfiguration(ipPort, certThumbprint, appId, sslCertStoreName));
+    }
+
+    static void SetConfiguration(IPEndPoint ipPort, string certThumbprint, Guid appId, string sslCertStoreName)
+    {
+        GCHandle sockAddrHandle = CreateSockaddrStructure(ipPort);
+        var pIpPort = sockAddrHandle.AddrOfPinnedObject();
+        var httpServiceConfigSslKey = new HTTP_SERVICE_CONFIG_SSL_KEY(pIpPort);
+
+        byte[] hash = GetHash(certThumbprint);
+        var handleHash = GCHandle.Alloc(hash, GCHandleType.Pinned);
+        var configSslParam = new HTTP_SERVICE_CONFIG_SSL_PARAM
+        {
+            AppId = appId,
+            DefaultFlags = 0x00008000 /* HTTP_SERVICE_CONFIG_SSL_FLAG_ENABLE_CACHE_CLIENT_HELLO */,
+            DefaultRevocationFreshnessTime = 0,
+            DefaultRevocationUrlRetrievalTimeout = 15,
+            pSslCertStoreName = sslCertStoreName,
+            pSslHash = handleHash.AddrOfPinnedObject(),
+            SslHashLength = hash.Length,
+            pDefaultSslCtlIdentifier = null,
+            pDefaultSslCtlStoreName = sslCertStoreName
+        };
+
+        var configSslSet = new HTTP_SERVICE_CONFIG_SSL_SET
+        {
+            ParamDesc = configSslParam,
+            KeyDesc = httpServiceConfigSslKey
+        };
+
+        var pInputConfigInfo = Marshal.AllocCoTaskMem(
+            Marshal.SizeOf(typeof(HTTP_SERVICE_CONFIG_SSL_SET)));
+        Marshal.StructureToPtr(configSslSet, pInputConfigInfo, false);
+
+        uint status = HttpSetServiceConfiguration(nint.Zero,
+            HTTP_SERVICE_CONFIG_ID.HttpServiceConfigSSLCertInfo,
+            pInputConfigInfo,
+            Marshal.SizeOf(configSslSet),
+            nint.Zero);
+
+        if (status == ERROR_ALREADY_EXISTS || status == 0) // already present or success
+        {
+            Console.WriteLine("HttpServiceConfiguration is correct");
+        }
+        else
+        {
+            Console.WriteLine("Failed to HttpSetServiceConfiguration: " + status);
+        }
+    }
+
+    static byte[] GetHash(string thumbprint)
+    {
+        int length = thumbprint.Length;
+        byte[] bytes = new byte[length / 2];
+        for (int i = 0; i < length; i += 2)
+            bytes[i / 2] = Convert.ToByte(thumbprint.Substring(i, 2), 16);
+        return bytes;
+    }
+
+    static GCHandle CreateSockaddrStructure(IPEndPoint ipEndPoint)
+    {
+        SocketAddress socketAddress = ipEndPoint.Serialize();
+
+        // use an array of bytes instead of the sockaddr structure 
+        byte[] sockAddrStructureBytes = new byte[socketAddress.Size];
+        GCHandle sockAddrHandle = GCHandle.Alloc(sockAddrStructureBytes, GCHandleType.Pinned);
+        for (int i = 0; i < socketAddress.Size; ++i)
+        {
+            sockAddrStructureBytes[i] = socketAddress[i];
+        }
+        return sockAddrHandle;
+    }
+
+    static void CallHttpApi(Action body)
+    {
+        const uint flags = HTTP_INITIALIZE_CONFIG;
+        uint retVal = HttpInitialize(HttpApiVersion, flags, IntPtr.Zero);
+        body();
+    }
+
+    [DllImport("httpapi.dll", SetLastError = true)]
+    private static extern uint HttpInitialize(
+            HTTPAPI_VERSION version,
+            uint flags,
+            IntPtr pReserved);
+
+    [DllImport("httpapi.dll", SetLastError = true)]
+    public static extern uint HttpSetServiceConfiguration(
+        nint serviceIntPtr,
+        HTTP_SERVICE_CONFIG_ID configId,
+        nint pConfigInformation,
+        int configInformationLength,
+        nint pOverlapped);
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/HttpSys/Native.cs

@@ -0,0 +1,95 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace TlsFeaturesObserve.HttpSys;
+
+[StructLayout(LayoutKind.Sequential, Pack = 2)]
+public struct HTTPAPI_VERSION
+{
+    public ushort HttpApiMajorVersion;
+    public ushort HttpApiMinorVersion;
+
+    public HTTPAPI_VERSION(ushort majorVersion, ushort minorVersion)
+    {
+        HttpApiMajorVersion = majorVersion;
+        HttpApiMinorVersion = minorVersion;
+    }
+}
+
+public enum HTTP_SERVICE_CONFIG_ID
+{
+    HttpServiceConfigIPListenList = 0,
+    HttpServiceConfigSSLCertInfo,
+    HttpServiceConfigUrlAclInfo,
+    HttpServiceConfigMax
+}
+
+[StructLayout(LayoutKind.Sequential)]
+public struct HTTP_SERVICE_CONFIG_SSL_SET
+{
+    public HTTP_SERVICE_CONFIG_SSL_KEY KeyDesc;
+    public HTTP_SERVICE_CONFIG_SSL_PARAM ParamDesc;
+}
+
+[StructLayout(LayoutKind.Sequential)]
+public struct HTTP_SERVICE_CONFIG_SSL_KEY
+{
+    public IntPtr pIpPort;
+
+    public HTTP_SERVICE_CONFIG_SSL_KEY(IntPtr pIpPort)
+    {
+        this.pIpPort = pIpPort;
+    }
+}
+
+[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+public struct HTTP_SERVICE_CONFIG_SSL_PARAM
+{
+    public int SslHashLength;
+    public IntPtr pSslHash;
+    public Guid AppId;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pSslCertStoreName;
+    public CertCheckModes DefaultCertCheckMode;
+    public int DefaultRevocationFreshnessTime;
+    public int DefaultRevocationUrlRetrievalTimeout;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pDefaultSslCtlIdentifier;
+    [MarshalAs(UnmanagedType.LPWStr)]
+    public string pDefaultSslCtlStoreName;
+    public uint DefaultFlags; // HTTP_SERVICE_CONFIG_SSL_FLAG
+}
+
+[Flags]
+public enum CertCheckModes : uint
+{
+    /// <summary>
+    /// Enables the client certificate revocation check.
+    /// </summary>
+    None = 0,
+
+    /// <summary>
+    /// Client certificate is not to be verified for revocation. 
+    /// </summary>
+    DoNotVerifyCertificateRevocation = 1,
+
+    /// <summary>
+    /// Only cached certificate is to be used the revocation check. 
+    /// </summary>
+    VerifyRevocationWithCachedCertificateOnly = 2,
+
+    /// <summary>
+    /// The RevocationFreshnessTime setting is enabled.
+    /// </summary>
+    EnableRevocationFreshnessTime = 4,
+
+    /// <summary>
+    /// No usage check is to be performed.
+    /// </summary>
+    NoUsageCheck = 0x10000
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/Program.cs

@@ -0,0 +1,35 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Reflection;
+using System.Runtime.InteropServices;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Server.HttpSys;
+using Microsoft.Extensions.Hosting;
+using TlsFeaturesObserve.HttpSys;
+
+namespace TlsFeatureObserve;
+
+public static class Program
+{
+    public static void Main(string[] args)
+    {
+        HttpSysConfigurator.ConfigureCacheTlsClientHello();
+        CreateHostBuilder(args).Build().Run();
+    }
+
+    public static IHostBuilder CreateHostBuilder(string[] args) =>
+        Host.CreateDefaultBuilder(args)
+            .ConfigureWebHost(webBuilder =>
+            {
+                webBuilder.UseStartup<Startup>()
+                .UseHttpSys(options =>
+                {
+                    // If you want to use https locally: https://stackoverflow.com/a/51841893
+                    options.UrlPrefixes.Add("https://*:6000"); // HTTPS
+
+                    options.Authentication.Schemes = AuthenticationSchemes.None;
+                    options.Authentication.AllowAnonymous = true;
+                });
+            });
+}

src/Servers/HttpSys/samples/TlsFeaturesObserve/Properties/launchSettings.json

@@ -0,0 +1,10 @@
+{
+  "profiles": {
+    "TlsFeaturesObserve": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5000",
+      "nativeDebugging": true
+    }
+  }
+}