propagating invalid SSL certificate error to the browser

[mittster]

I noticed that you get notified of an SSL cert error only through try/catch block of upstream HttpClient request. By that time, https connection with the browser has long been established and the browser happily shows the lock icon.

I opened TlsSniConnectionAdapter and found only hooks for SNI inspection via StreamExtended API. Does Kestrel have an option for intercepting certificate sent from remote machine much like it is capable of intercepting ClientHello messages?

[TechnikEmpire]

Yeah it locks because the intercepting proxy always has absolute trust on the host machine but the remote may fail as you've observed.

There is an override method I think (this project has moved private and this repo is old so unsure) where you can intercept the remote inspection routine.

You can also directly jack into this method by adding a callback after the proxy is initialized to the static ServicePointManager class in .net. It has a "handler" for remote cert inspection where the last caller to that setter gets exclusive rights to the handler.

[mittster]

I guess you mean ServicePointManager.ServerCertificateValidationCallback. According to debugger, this callback is triggered when upstream HttpClient tries to connect to the server in FilterHttpResponseHandler. That is much too late for telling browser that the certificate has error, because SSL handshake between browser and proxy is already completed at that point.

[TechnikEmpire]

You need to code this functionality in or pass down a http response you create. By nature you cannot possibly tell he client after you find out, because in order to even connect to the https endpoint upstream you need to sni peek.

Were the proxy designed fundamentally differently you could do this. You'd need to do the upstream check on client sni peek and before handshake. This isn't the way the proxy is designed.