Transport layer security for HTTP based services is achieved by adding a sub layer of SSL or TLS. SSL stands for Secure Socket Layer and TLS stands for Transport Layer Security.
SSL is deprecated version and some vulnerabilities have been found and have been used by attackers. Now a days, most of the web applications support transport layer security using TLS.
In this article, let’s have a look at how the TLS can be configured with Kestrel web server.
ConfigureHttpsDefaults method provides an Action parameter, which can be used for this purpose. It has gets a parameter of type HttpsConnectionAdapterOptions. This parameter has a property SslProtocols, which can be set to the protocol that needs to be enabled on the web server.
The default value for this property is NONE, meaning the web server will allow operating system to choose best protocol. Operating system should block the insecure protocols. This is best option as per documentation in case your application does not have specific needs.
In order to troubleshoot any issues related to TLS encryptions or proxies, connection logging is very useful. There is a in-built middleware available for connection logging. This middleware enables debug level logging.
It can be enabled by calling UseConnectionLogging method. If this method is called before UseHttps, encrypted traffic is logged. If it is logged after UseHttps call, then this middleware logs decrypted traffic.
Below code shows how TLS and connection logging can be enabled on Kestrel server.
|public class Program|
|public static void Main(string args)|
|public static IHostBuilder CreateHostBuilder(string args) =>|
|// Set TLS 1.3 protocol for encrypted|
|listenOptions.SslProtocols = SslProtocols.Tls13;|
|serverOptions.Listen(IPAddress.Loopback, 5001, listenOptions =>|
|// Uncomment for logging encrypted HTTP traffic|
|// For logging decrypted HTTP traffic|
Have you used connection logging ? How was your experience ? Let me know your thoughts.