Closed ststeiger closed 11 months ago
Never mind stream.TargetHostName, it's not working ... Dilettantes at work. Just use stream-extended instead, so far works fine everywhere.
Never mind, it does work with stream.TargetHostName. But you need to set ServerCertificateSelectionCallback and use SslServerAuthenticationOptions: https://github.com/dotnet/runtime/issues/57105
System.Net.Security.SslServerAuthenticationOptions sslOptions =
new System.Net.Security.SslServerAuthenticationOptions
{
// ServerCertificate = certificate,
ServerCertificateSelectionCallback = (sender, name) => cert ,
CertificateRevocationCheckMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.Offline,
EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12
};
stream.AuthenticateAsServer(sslOptions);
The SSL-certificate should not be "static". If host-header based SSL is used (SNI), for multiple domains on the same IP, then the certificate would need to include them all. This is problematic, as LetsEncrypt does not allow more than 100 aliases in one certificate .
Therefore, we need a
System.Net.Security.ServerCertificateSelectionCallback
in IEndpointDefinition, instead of //X509Certificate ServerCertificate { get; }
Now, to get to the host-name is more difficult. You can either switch to .NET 5 (instead of NetStandard 2.0), and use
// System.Net.Security.SslStream stream; stream.TargetHostName // .NET 5.0 only
or you can stay on NetStandard 2.0, and use stream-extended. This might (or might not) incur performance-loss or instability. Example: