kvenkatrajan
commented
6 months ago @drewnoakes please have a look and test coverage for config would be good.
Open davidfowl opened 6 months ago
kvenkatrajan
commented
6 months ago @drewnoakes please have a look and test coverage for config would be good.
drewnoakes
commented
6 months ago @davidfowl there are three kinds of certificate validation error built in currently:
Disabling any of these makes me nervous, and disabling all of these seems like a bad idea. We can add config to provide control over these, though it'd make it easy for someone to make an insecure system that's prone to squatting.
In your error message, you were hitting both RemoteCertificateNameMismatch and RemoteCertificateChainErrors. Do you really want to allow disabling both of those?
Note that we do support specifying SslClientAuthenticationOptions via config binding, though it's not clear to me that it'd be enough for your case. You might be able to set TargetHost to work around the RemoteCertificateNameMismatch, but the chain error suggests the certificate is not recognised by the trusted CAs on the client machine.
kvenkatrajan
commented
6 months ago Moving to 8.1 - @davidfowl please confirm if this can wait till 8.1 - focussing on integration tests for existing auth code paths at this time.
davidfowl
commented
6 months ago It can
drewnoakes
commented
6 months ago We still need some clarity on what's expected here before we can tackle this. I've marked it as blocked on that input for now.
marinasundstrom
commented
6 months ago I'm using the YARP resource prototype by @davidfowl. My resources are HTTPS, and requests through the YARP resource fail with RemoteCertificateNameMismatch.
I'm porting my project to Aspire, and was hoping it would just work.
davidfowl
commented
6 months ago This issue is unrelated, but I opened one here https://github.com/dotnet/aspire/issues/3991
I built a custom resource server and I was using HTTP/2 over TLS but wanted to disable certificate validation. Seems like there's no config to do so.