feat: support tls client hello bytes callback in Kestrel

src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
 using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
@@ -96,6 +97,12 @@ public void AllowAnyClientCertificate()
     /// </summary>
     public Action<ConnectionContext, SslServerAuthenticationOptions>? OnAuthenticate { get; set; }
 
+    /// <summary>
+    /// A callback to be invoked to get the TLS client hello bytes.
+    /// Null by default.
+    /// </summary>
+    public Action<ConnectionContext, ReadOnlySequence<byte>>? TlsClientHelloBytesCallback { get; set; }
+
     /// <summary>
     /// Specifies the maximum amount of time allowed for the TLS/SSL handshake. This must be positive
     /// or <see cref="Timeout.InfiniteTimeSpan"/>. Defaults to 10 seconds.

src/Servers/Kestrel/Core/src/ListenOptionsHttpsExtensions.cs

@@ -5,6 +5,7 @@
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Server.Kestrel.Core;
 using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
+using Microsoft.AspNetCore.Server.Kestrel.Core.Middleware;
 using Microsoft.AspNetCore.Server.Kestrel.Https;
 using Microsoft.AspNetCore.Server.Kestrel.Https.Internal;
 using Microsoft.Extensions.DependencyInjection;
@@ -197,6 +198,15 @@ public static ListenOptions UseHttps(this ListenOptions listenOptions, HttpsConn
         listenOptions.IsTls = true;
         listenOptions.HttpsOptions = httpsOptions;
 
+        if (httpsOptions.TlsClientHelloBytesCallback is not null)
+        {
+            listenOptions.Use(next =>
+            {
+                var middleware = new TlsListenerMiddleware(next, httpsOptions.TlsClientHelloBytesCallback);
+                return middleware.OnTlsClientHelloAsync;
+            });
+        }
+
         listenOptions.Use(next =>
         {
             var middleware = new HttpsConnectionMiddleware(next, httpsOptions, listenOptions.Protocols, loggerFactory, metrics);

src/Servers/Kestrel/Core/src/Middleware/TlsListenerMiddleware.cs

@@ -0,0 +1,124 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Buffers;
+using System.Diagnostics;
+using Microsoft.AspNetCore.Connections;
+
+namespace Microsoft.AspNetCore.Server.Kestrel.Core.Middleware;
+
+internal sealed class TlsListenerMiddleware
+{
+    private readonly ConnectionDelegate _next;
+    private readonly Action<ConnectionContext, ReadOnlySequence<byte>> _tlsClientHelloBytesCallback;
+
+    public TlsListenerMiddleware(ConnectionDelegate next, Action<ConnectionContext, ReadOnlySequence<byte>> tlsClientHelloBytesCallback)
+    {
+        _next = next;
+        _tlsClientHelloBytesCallback = tlsClientHelloBytesCallback;
+    }
+
+    /// <summary>
+    /// Sniffs the TLS Client Hello message, and invokes a callback if found.
+    /// </summary>
+    internal async Task OnTlsClientHelloAsync(ConnectionContext connection)
+    {
+        var input = connection.Transport.Input;
+
+        while (true)
+        {
+            var result = await input.ReadAsync();
+            var buffer = result.Buffer;
+
+            // If the buffer length is less than 6 bytes (handshake + version + length + client-hello byte)
+            // and no more data is coming, we can't block in a loop here because we will not get more data
+            if (buffer.Length < 6 && result.IsCompleted)
+            {
+                break;
+            }
+
+            var parseState = TryParseClientHello(buffer, out var clientHelloBytes);
+
+            // no data is consumed, it will be processed by the follow-up middlewares
+            input.AdvanceTo(buffer.Start);
+
+            if (parseState == ClientHelloParseState.NotEnoughData)
+            {
+                continue;
+            }
+
+            if (parseState == ClientHelloParseState.ValidTlsClientHello)
+            {
+                _tlsClientHelloBytesCallback(connection, clientHelloBytes);
+            }
+
+            Debug.Assert(parseState is ClientHelloParseState.ValidTlsClientHello or ClientHelloParseState.NotTlsClientHello);
+            break; // We can continue with the middleware pipeline
+        }
+
+        await _next(connection);
+    }
+
+    private static ClientHelloParseState TryParseClientHello(ReadOnlySequence<byte> buffer, out ReadOnlySequence<byte> clientHelloBytes)
+    {
+        clientHelloBytes = default;
+
+        if (buffer.Length < 6)
+        {
+            return ClientHelloParseState.NotEnoughData;
+        }
+
+        var reader = new SequenceReader<byte>(buffer);
+
+        // Content type must be 0x16 for TLS Handshake
+        if (!reader.TryRead(out byte contentType) || contentType != 0x16)
+        {
+            return ClientHelloParseState.NotTlsClientHello;
+        }
+
+        // Protocol version
+        if (!reader.TryReadBigEndian(out short version) || !IsValidProtocolVersion(version))
+        {
+            return ClientHelloParseState.NotTlsClientHello;
+        }
+
+        // Record length
+        if (!reader.TryReadBigEndian(out short recordLength))
+        {
+            return ClientHelloParseState.NotTlsClientHello;
+        }
+
+        // 5 bytes are
+        // 1) Handshake (1 byte)
+        // 2) Protocol version (2 bytes)
+        // 3) Record length (2 bytes)
+        if (buffer.Length < 5 + recordLength)
+        {
+            return ClientHelloParseState.NotEnoughData;
+        }
+
+        // byte 6: handshake message type (must be 0x01 for ClientHello)
+        if (!reader.TryRead(out byte handshakeType) || handshakeType != 0x01)
+        {
+            return ClientHelloParseState.NotTlsClientHello;
+        }
+
+        clientHelloBytes = buffer.Slice(0, 5 + recordLength);
+        return ClientHelloParseState.ValidTlsClientHello;
+    }
+
+    private static bool IsValidProtocolVersion(short version)
+        => version is 0x0002  // SSL 2.0 (0x0002)
+                   or 0x0300  // SSL 3.0 (0x0300)
+                   or 0x0301  // TLS 1.0 (0x0301)
+                   or 0x0302  // TLS 1.1 (0x0302)
+                   or 0x0303  // TLS 1.2 (0x0303)
+                   or 0x0304; // TLS 1.3 (0x0304)
+
+    private enum ClientHelloParseState : byte
+    {
+        NotEnoughData,
+        NotTlsClientHello,
+        ValidTlsClientHello
+    }
+}

src/Servers/Kestrel/Core/src/PublicAPI.Unshipped.txt

@@ -1 +1,3 @@
 #nullable enable
+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.TlsClientHelloBytesCallback.get -> System.Action<Microsoft.AspNetCore.Connections.ConnectionContext!, System.Buffers.ReadOnlySequence<byte>>?
+Microsoft.AspNetCore.Server.Kestrel.Https.HttpsConnectionAdapterOptions.TlsClientHelloBytesCallback.set -> void