2

I want to disable all protocols that are older than TLS 1.2. On other posts I read that I can configure it like this:

WebHost.CreateDefaultBuilder(args)
    .UseKestrel(c =>
    {
        c.ConfigureHttpsDefaults(configureOptions => 
        { 
            configureOptions.SslProtocols = SslProtocols.Tls12; 
        });
    })
    .UseStartup<Startup>();

When I test this setup with ssllabs I see that older protocols are still supported. It seems that I can only configure the defaults, but I find conflicting blogs/posts that claim that I should be able to only allow TLS 1.2 this way (like this blog).

Am I missing something or is it really only possible to set the defaults on Kestrel?

Note: I am restricted to AspNET Core 2.2 because I can not (yet) move from .NET Framework to .Net Core.

Yokovaski
  • 178
  • 11
  • Are you hosting your ASP.NET Core app on a platform that has another frontend web server, such as Azure App Service? In that case, it might be possible that the TLS connection terminates there, and you need to configure that instead. I'm asking, because it's pretty rare to see Kestrel used _without_ something in front of it. – Rytmis Aug 18 '20 at 14:41
  • Does this answer your question? [Any way to restrict ASP.NET Core 2.0 HTTPS to TLS 1.2?](https://stackoverflow.com/questions/46832384/any-way-to-restrict-asp-net-core-2-0-https-to-tls-1-2) – Henkolicious Aug 18 '20 at 14:50
  • @Henkolicious unfortunately no, I already linked the same post in my own. – Yokovaski Aug 18 '20 at 14:54
  • @Rytmis Kestral is the edge web server in this configuration. The TLS 1.2 connection is not terminated and I can see in ssllabs that Kestral is the web server serving the website. My issue lies in that older versions I.E. TLS 1.0 and 1.1 are still supported somehow – Yokovaski Aug 18 '20 at 14:56
  • Kestral => Kestrel – Yokovaski Aug 18 '20 at 15:04
  • Kestrel is not for public service. If you in Windows Server, set IIS. If Linux, set Nginx or Apache for it. –  Aug 18 '20 at 23:27
  • @donggas90 I do not agree. As far as I know it is only recommended to put IIS, Apache or Nginx in front of Kestrel because they are better at serving static content. In my case there is not a lot of static content. The amount of static content of the website is small, but the API is not. If I am mistaken, please point me to documentation that explains why Kestrel is not for public service. I only see [reasons](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1) why it might be a good choice to put Kestrel behind a reverse proxy server. – Yokovaski Aug 19 '20 at 08:17
  • https://stackoverflow.com/a/46878663/1655141 –  Aug 19 '20 at 08:20
  • The post you share only points out the history of why a reverse proxy is commonly used. The post even states that more and more features will be added to Kestrel and the post is three years old and a lot of features have been added which is the reason why I do not see the advantage of using a reverse proxy. Again: I use Kestrel because I serve a lot of dynamic content and Microsoft even recommends using Kestrel in that case because of its performance with dynamic content – Yokovaski Aug 19 '20 at 08:39
  • In Windows Server, now IIS and Kestrel has been merged which is called In-Process hosting instead of improving the Kestrel itself. I don't know the MS has plan to improve Kestrel to level of IIS, Nginx or Apache. But obviously, In now, the Kestrel has not power of that levels. Because Kestrel has designed for reverse proxy. Not public service. –  Aug 19 '20 at 08:53
  • Ok, lets end this discussion here. I do not claim that Kestrel is a complete web server like IIS, Apache or Nginx. I only state that for me there is no advantage with using a reverse proxy because Kestrel has all the features I need. On In-Process hosting: in my question I explained that I am bound to .NET Framework for the time being, and: [The in-process hosting model isn't supported for ASP.NET Core apps that target the .NET Framework](https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-2.2#in-process-hosting-model-1). – Yokovaski Aug 19 '20 at 10:24
  • As you know, your question and you saying context do not match. You said, cannot disable some features, but now, saying it is supporting all needed. If all you wanted things are supported, why asked the question? OK, use Kestrel for public service. I don't care. I just mentioned you it has not designed for that purpose. Therefore, it does not support that feature what you wanted. But, if it can be ignored by other advantages, use for it. –  Aug 20 '20 at 00:00

0 Answers0