How to Implement SSL on Kestrel/ ASP.net core
A Step-by-Step Guide on Configuring HTTPS on Kestrel/ASP.net
Kestrel is a web server that comes included with ASP.net Core new-project templates as a default. Kestrel represents a cross-platform web server based on libuv—a cross-platform asynchronous I/O library.
Kestrel is relatively new, as October 27, 2016, Microsoft was still suggesting you use IIS, Nginx or Apache as a reverse proxy server for edge deployments as a result of security concerns:
Kestrel is relatively new and does not yet have a full complement of defenses against attacks. This includes but isn’t limited to appropriate timeouts, size limits, and concurrent connection limits. For more information about when to use Kestrel with a reverse proxy, see Kestrel
Today we’re going to discuss how to implement SSL on Kestrel and enable HTTPS connections, adding a much needed layer of security to the fledgling server.
To implement SSL and configure the server for HTTPS, you’ll need to start by acquiring an SSL certificate. This a simple process, you’ll just need to:
- Select and purchase an SSL certificate
- Generate a CSR and a public/private key-pair
- Send the public key and your CSR to the Certificate Authority
- Undergo validation
- Receive your SSL Certificate and any intermediates that accompany it
After you’ve done all this, make sure you have provided a friendly name for the certificate and store, and have the pfx file handy.
Modify the project.json file to add a reference to Kestrel.https nuget package.
“dependencies”: {
“Microsoft.AspNet.Server.Kestrel”: “1.0.0-rc1-final”,
“Microsoft.AspNet.IISPlatformHandler”: “1.0.0-rc1-final”,
“Microsoft.AspNet.Diagnostics”: “1.0.0-rc1-final”,
“Microsoft.AspNet.Mvc”: “6.0.0-rc1-final”,
“Microsoft.Extensions.Logging.Console”: “1.0.0-rc1-final”,
“Microsoft.AspNet.Server.Kestrel.Https”: “1.0.0-rc1-final”
}
After that, you’ll need to modify the startup file, configure() method to use the certificate.
public void Configure(IApplicationBuilder app,
IHostingEnvironment env,
IApplicationEnvironment appEnv,
ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
var pfxFile = Path.Combine(appEnv.ApplicationBasePath, “Sample.pfx”);
X509Certificate2 certificate = new X509Certificate2(pfxFile, “Password”);
app.Use(ChangeContextToHttps);
app.UseKestrelHttps(certificate);
app.UseDeveloperExceptionPage();
app.UseMvcWithDefaultRoute();
}
Now, make sure not to hard code your certificate password, use the secrets API instead.
The method below is a work-around for the 454 defect.
Note: This has been fixed in RC2.
private static RequestDelegate ChangeContextToHttps(RequestDelegate next)
{
return async context =>
{
context.Request.Scheme = “https”;
await next(context);
};
}
Next up you will need to modify the project.json and change the URL:
“commands”: {
“web”: “Microsoft.AspNet.Server.Kestrel –server.urls https://*:5004”
}
Finally, your last order of business is to remove “dnxcore50” from the frameworks. Kestrel.https is not supported in dnxcore.
Congratulations, your Kestrel server is now optimized for HTTPS.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown