backport(net8.0): http.sys on-demand TLS client hello retrieval#62290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

joperezr merged 5 commits intodotnet:release/8.0fromDeagleGross:dmkorolev/releasenet8/httpsys-ondemand-backport

Jun 11, 2025

Merged

backport(net8.0): http.sys on-demand TLS client hello retrieval#62290

joperezr merged 5 commits intodotnet:release/8.0fromDeagleGross:dmkorolev/releasenet8/httpsys-ondemand-backport

Jun 11, 2025

Conversation

Copy link

Member

DeagleGross commentedJun 9, 2025•
edited
Loading

Http.Sys on-demand tls client hello bytes fetch to net8.

Description

Backporting#62209 to release/net8.0.
Changes API to have abyte[] input parameter, becauseSpan<byte> is not really compatible with reflection. So it becomesbool TryGetTlsClientHello(byte[] tlsClientHelloBytesDestination, out int bytesReturned);

Usage example is in the sample app and commented to be a recommended approach (compared to callback API; as on-demand API will be an only API existing in net10):

varhttpSysAssembly=typeof(Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions).Assembly;varhttpSysPropertyFeatureType=httpSysAssembly.GetType("Microsoft.AspNetCore.Server.HttpSys.IHttpSysRequestPropertyFeature");varhttpSysPropertyFeature=context.Features[httpSysPropertyFeatureType]!;varmethod=httpSysPropertyFeature.GetType().GetMethod("TryGetTlsClientHello",BindingFlags.Instance|BindingFlags.Public|BindingFlags.NonPublic);// invoke first time to get required sizebyte[]bytes=Array.Empty<byte>();varparameters=newobject[]{bytes,0};varres=(bool)method.Invoke(httpSysPropertyFeature,parameters);// fetching out parameter only works by looking into parameters array of objectsvarbytesReturned=(int)parameters[1];bytes=ArrayPool<byte>.Shared.Rent(bytesReturned);parameters=[bytes,0];// correct input nowres=(bool)method.Invoke(httpSysPropertyFeature,parameters);// this is the span representing the TLS Client Hello bytes onlyvartlsClientHelloBytes=((byte[])parameters[0]).AsSpan(0,bytesReturned);awaitcontext.Response.WriteAsync($"TlsBytes:{string.Join(" ",tlsClientHelloBytes.Slice(0,10).ToArray())}; full length ={bytesReturned}");ArrayPool<byte>.Shared.Return(bytes);

Fixes#61625

Customer Impact

Allows customers to inspect the TLS Client Hello message on-demand instead of following the callback API.
Existing#61494 callback API showed issues with race-conditions (processing callback at the same time as serving other requests).

Regression?

Risk

High
Medium
Low

Fully opt-in feature so won't affect existing code. Also, if it is turned on, there are a few app context knobs to tweak behavior in case something goes wrong.

Verification

Manual (required)
Automated

Packaging changes reviewed?

feat(HTTP.SYS): on-demand TLS client hello retrieval (#62209)

25aac49

DeagleGross requested review fromBrennanConroy,JamesNK,halter73 andmgravell ascode owners

June 9, 2025 23:32

dotnet-policy-servicebot added this to the8.0.x milestone

Jun 9, 2025

DeagleGross changed the title~~backport(net8.0): http.sys on-demand TLS client hello retrieval~~[WIP] backport(net8.0): http.sys on-demand TLS client hello retrieval

Jun 9, 2025

DeagleGross added3 commits

June 9, 2025 17:21

fix cherry-pick

3552401

setup sample

d1315f0

provide example

b6a8d2e

DeagleGross changed the title~~[WIP] backport(net8.0): http.sys on-demand TLS client hello retrieval~~backport(net8.0): http.sys on-demand TLS client hello retrieval

Jun 10, 2025

fix build error

e9164ea