Breaking change: HttpSys TLS channel binding token exposure (.NET 11)#37325
Open
DeagleGross wants to merge 2 commits into
Open
Breaking change: HttpSys TLS channel binding token exposure (.NET 11)#37325DeagleGross wants to merge 2 commits into
DeagleGross wants to merge 2 commits into
Conversation
…e (.NET 11) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new breaking-change doc for ASP.NET Core 11 announcing that
Microsoft.AspNetCore.Server.HttpSysnow callsHttpSetUrlGroupProperty(HttpServerChannelBindProperty)on every startup by default. This enables per-request TLS channel binding tokens (RFC 5929tls-server-end-point) and the newITlsConnectionFeature.TryGetChannelBindingBytesAPI, unlocking Extended Protection for Authentication (EPA) scenarios.Reference: dotnet/aspnetcore#67436.
Changes
aspnetcore/breaking-changes/11/httpsys-channel-binding-token-enabled.mdfollowing the section structure and tone of the existing .NET 11 breaking-change docs (e.g.,kestrel-strict-protocol-compliance.md).aspnetcore/breaking-changes/11/overview.md, inserted in the correct alphabetical position and typed as a Behavioral change.Highlights
HttpSysOptions.HttpAuthenticationHardeningLevel(Legacy/Medium/Strict), defaultMedium.HttpServerChannelBindProperty; forMedium/Strictit also setsHTTP_CHANNEL_BIND_SECURE_CHANNEL_TOKEN.ITlsConnectionFeature.TryGetChannelBindingBytesreturns the endpoint CBT on authenticated HTTPS requests.HttpAuthenticationHardeningLevel.Legacyto restore pre-.NET 11 behavior.Internal previews