[API Proposal]: Add TargetHostName to QuicConnection

[EatonZ]

Background and motivation

Consider the following code:

var handler = new SocketsHttpHandler
{
    SslOptions = new SslClientAuthenticationOptions { RemoteCertificateValidationCallback = HandlePinningPolicy }
};
var httpClient = new HttpClient(handler);

private static bool HandlePinningPolicy(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors != SslPolicyErrors.None) return false;

    if (PinList != null && PinList.TryGetValue(((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

    return true;
}

On HTTP 1 and 2 connections, that all works perfectly fine. With .NET 7 and HTTP 3, I noticed HandlePinningPolicy was throwing an exception:

Unable to cast object of type 'System.Net.Quic.QuicConnection' to type 'System.Net.Security.SslStream'.

The problem is obvious, so I decided to add a check for when the sender is QuicConnection. Just one problem though.. QuicConnection doesn't provide the host name of the connection, and I do not see any way to get it:

As a result, pinning HTTP 3 connections seems impossible.

Any temporary workaround would be appreciated.🙂

API Proposal

namespace System.Net.Quic;

public sealed partial class QuicConnection : IAsyncDisposable
{
+    public string TargetHostName { ... }
}

API Usage

if (PinList != null && PinList.TryGetValue(sender is QuicConnection qc ? qc.TargetHostName : ((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

Alternative Designs

No response

Risks

None

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Background and motivation

Consider the following code:

var handler = new SocketsHttpHandler
{
    SslOptions = new SslClientAuthenticationOptions { RemoteCertificateValidationCallback = HandlePinningPolicy }
};
var httpClient = new HttpClient(handler);

private static bool HandlePinningPolicy(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors != SslPolicyErrors.None) return false;

    if (PinList != null && PinList.TryGetValue(((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

    return true;
}

On HTTP 1 and 2 connections, that all works perfectly fine. With .NET 7 and HTTP 3, I noticed HandlePinningPolicy was throwing an exception:

Unable to cast object of type 'System.Net.Quic.QuicConnection' to type 'System.Net.Security.SslStream'.

The problem is obvious, so I decided to add a check for when the sender is QuicConnection. Just one problem though.. QuicConnection doesn't provide the host name of the connection, and I do not see any way to get it:

As a result, pinning HTTP 3 connections seems impossible.

Any temporary workaround would be appreciated.🙂

API Proposal

namespace System.Net.Quic;

public sealed partial class QuicConnection : IAsyncDisposable
{
+    public string TargetHostName { ... }
}

API Usage

if (PinList != null && PinList.TryGetValue(sender is QuicConnection qc ? qc.TargetHostName : ((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

Alternative Designs

No response

Risks

None

Author:	EatonZ
Assignees:	-
Labels:	api-suggestion, area-System.Net, untriaged
Milestone:	-

[wfurt]

This would make sense to me. It seems like we already have _targetHost inside of private SslConnectionOptions.
You may be able to get to it with little bit of Reflection magic @EatonZ until there is better way.

[EatonZ]

@wfurt Thank you for the tip. I came up with this, which is an acceptable workaround for now. Hopefully you will consider my proposal so this can be cleaned up later.🙂

string targetHost;
if (sender is QuicConnection qc)
{
    var _sslConnectionOptions = qc.GetType().GetField("_sslConnectionOptions", BindingFlags.Instance | BindingFlags.NonPublic).GetValue(qc);
    targetHost = (string)_sslConnectionOptions.GetType().GetField("_targetHost", BindingFlags.Instance | BindingFlags.NonPublic).GetValue(_sslConnectionOptions);
}
else targetHost = ((SslStream)sender).TargetHostName;

[wfurt]

For the record, here is #27619 original ask for SslStream.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Background and motivation

Consider the following code:

var handler = new SocketsHttpHandler
{
    SslOptions = new SslClientAuthenticationOptions { RemoteCertificateValidationCallback = HandlePinningPolicy }
};
var httpClient = new HttpClient(handler);

private static bool HandlePinningPolicy(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors != SslPolicyErrors.None) return false;

    if (PinList != null && PinList.TryGetValue(((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

    return true;
}

On HTTP 1 and 2 connections, that all works perfectly fine. With .NET 7 and HTTP 3, I noticed HandlePinningPolicy was throwing an exception:

Unable to cast object of type 'System.Net.Quic.QuicConnection' to type 'System.Net.Security.SslStream'.

The problem is obvious, so I decided to add a check for when the sender is QuicConnection. Just one problem though.. QuicConnection doesn't provide the host name of the connection, and I do not see any way to get it:

As a result, pinning HTTP 3 connections seems impossible.

Any temporary workaround would be appreciated.🙂

API Proposal

namespace System.Net.Quic;

public sealed partial class QuicConnection : IAsyncDisposable
{
+    public string TargetHostName { ... }
}

API Usage

if (PinList != null && PinList.TryGetValue(sender is QuicConnection qc ? qc.TargetHostName : ((SslStream)sender).TargetHostName, out var pin)) return new Span<byte>(pin).SequenceEqual(SHA256.HashData(certificate.GetPublicKey()));

Alternative Designs

No response

Risks

None

Author:	EatonZ
Assignees:	-
Labels:	api-suggestion, untriaged, area-System.Net.Quic
Milestone:	-

[ManickaP]

Triage: this seems fairly easy so we could do it in 8.0. And we have precedent in SslStream.

[ManickaP]

Related issue: #70184