diff options
| author | Wouter Tinus <win.acme.simple@gmail.com> | 2019-12-25 13:09:19 +0100 |
|---|---|---|
| committer | Wouter Tinus <win.acme.simple@gmail.com> | 2019-12-25 13:09:19 +0100 |
| commit | 4ce22b65f19a88b9739d2a421bd89dc4f278e95f (patch) | |
| tree | fc0806e0a612f2dee1a09b93a002df3b7a5742c3 /src/main.lib | |
| parent | a791c89c559a78226a58df56b51e77f859da9ee3 (diff) | |
| download | letsencrypt-win-simple-4ce22b65f19a88b9739d2a421bd89dc4f278e95f.zip letsencrypt-win-simple-4ce22b65f19a88b9739d2a421bd89dc4f278e95f.tar.gz letsencrypt-win-simple-4ce22b65f19a88b9739d2a421bd89dc4f278e95f.tar.bz2 | |
Update handling of modern sslFlags
Diffstat (limited to 'src/main.lib')
| -rw-r--r-- | src/main.lib/Clients/IIS/IISHttpBindingUpdater.cs | 63 | ||||
| -rw-r--r-- | src/main.lib/Clients/IIS/SSLFlags.cs | 19 | ||||
| -rw-r--r-- | src/main.lib/Plugins/InstallationPlugins/IISWeb/IISWeb.cs | 2 | ||||
| -rw-r--r-- | src/main.lib/wacs.lib.csproj | 24 |
4 files changed, 76 insertions, 32 deletions
diff --git a/src/main.lib/Clients/IIS/IISHttpBindingUpdater.cs b/src/main.lib/Clients/IIS/IISHttpBindingUpdater.cs index 69b3c0e..9e8f3bf 100644 --- a/src/main.lib/Clients/IIS/IISHttpBindingUpdater.cs +++ b/src/main.lib/Clients/IIS/IISHttpBindingUpdater.cs @@ -162,7 +162,7 @@ namespace PKISharp.WACS.Clients.IIS { var bestMatch = matchingBindings.First(); var bestMatches = matchingBindings.Where(x => x.binding.Host == bestMatch.binding.Host); - if (bestMatch.fit == 100 || !bindingOptions.Flags.HasFlag(SSLFlags.CentralSSL)) + if (bestMatch.fit == 100 || !bindingOptions.Flags.HasFlag(SSLFlags.CentralSsl)) { // All existing https bindings var existing = bestMatches. @@ -309,22 +309,42 @@ namespace PKISharp.WACS.Clients.IIS { return SSLFlags.None; } - // Do not allow CentralSSL flag to be set on the default binding - if (string.IsNullOrEmpty(host)) + + // Add SNI on Windows Server 2012+ for new bindings + if (newBinding && + !string.IsNullOrEmpty(host) && + _client.Version.Major >= 8) { - if (flags.HasFlag(SSLFlags.CentralSSL)) - { - throw new InvalidOperationException("Central SSL is not supported without a hostname"); - } + flags |= SSLFlags.SNI; } - // Add SNI on Windows Server 2012+ - if (newBinding) + + // Modern flags are not supported by IIS versions lower than 10. + // In fact they are not even supported by all versions of IIS 10, + // but so far we don't know how to check for these features + // availability (IIS reports its version as 10.0.0 even on + // Server 2019). + if (_client.Version.Major < 10) { - if (!string.IsNullOrEmpty(host) && _client.Version.Major >= 8) + flags &= ~SSLFlags.IIS10_Flags; + } + + // Some flags cannot be used together with the CentralSsl flag, + // because when using CentralSsl they are supposedly configured at + // the server level instead of at the binding level (though the IIS + // Manager doesn't seem to expose these options). + if (flags.HasFlag(SSLFlags.CentralSsl)) + { + // Do not allow CentralSSL flag to be set on the default binding + // Logic elsewhere in the program should prevent this + // from happening. This is merely a sanity check + if (string.IsNullOrEmpty(host)) { - flags |= SSLFlags.SNI; + throw new InvalidOperationException("Central SSL is not supported without a hostname"); } + flags &= ~SSLFlags.NotWithCentralSsl; } + + // All checks passed, return flags return flags; } @@ -353,8 +373,8 @@ namespace PKISharp.WACS.Clients.IIS var currentFlags = existingBinding.SSLFlags; if ((currentFlags & ~SSLFlags.SNI) == (options.Flags & ~SSLFlags.SNI) && // Don't care about SNI status ((options.Store == null && existingBinding.CertificateStoreName == null) || - StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) && - string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase))) + (StructuralComparisons.StructuralEqualityComparer.Equals(existingBinding.CertificateHash, options.Thumbprint) && + string.Equals(existingBinding.CertificateStoreName, options.Store, StringComparison.InvariantCultureIgnoreCase)))) { _log.Verbose("No binding update needed"); } @@ -366,13 +386,20 @@ namespace PKISharp.WACS.Clients.IIS // Callers should not generally request SNI unless // required for the binding, e.g. for TLS-SNI validation. // Otherwise let the admin be in control. - if (currentFlags.HasFlag(SSLFlags.SNI)) + + // Update 25-12-2019: preserve all existing SSL flags + // instead of just SNI, to accomdate the new set of flags + // introduced in recent versions of Windows Server. + var preserveFlags = existingBinding.SSLFlags & ~SSLFlags.CentralSsl; + if (options.Flags.HasFlag(SSLFlags.CentralSsl)) { - options = options.WithFlags(options.Flags | SSLFlags.SNI); + preserveFlags &= ~SSLFlags.NotWithCentralSsl; } - _log.Information(LogType.All, "Updating existing https binding {host}:{port}", + options = options.WithFlags(options.Flags | preserveFlags); + _log.Information(LogType.All, "Updating existing https binding {host}:{port} (flags: {flags})", existingBinding.Host, - existingBinding.Port); + existingBinding.Port, + (int)options.Flags); _client.UpdateBinding(site, existingBinding, options); } } @@ -392,7 +419,7 @@ namespace PKISharp.WACS.Clients.IIS { // The default (emtpy) binding matches with all hostnames. // But it's not supported with Central SSL - if (string.IsNullOrEmpty(iis) && (!flags.HasFlag(SSLFlags.CentralSSL))) + if (string.IsNullOrEmpty(iis) && (!flags.HasFlag(SSLFlags.CentralSsl))) { return 10; } diff --git a/src/main.lib/Clients/IIS/SSLFlags.cs b/src/main.lib/Clients/IIS/SSLFlags.cs index 10ea7df..a840bf7 100644 --- a/src/main.lib/Clients/IIS/SSLFlags.cs +++ b/src/main.lib/Clients/IIS/SSLFlags.cs @@ -11,6 +11,23 @@ namespace PKISharp.WACS.Clients.IIS { None = 0, SNI = 1, - CentralSSL = 2 + CentralSsl = 2, + DisableHttp2 = 4, + DisableOcspStapling = 8, + DisableQuic = 16, + DisableTls13OverTcp = 32, + DisableLegacyTls = 64, + + /// <summary> + /// Flags introduced in specific versions of Windows + /// </summary> + IIS10_Flags = IIS10_Server2016_Flags | IIS10_Server2019_Flags, + IIS10_Server2016_Flags = DisableHttp2 | DisableOcspStapling, + IIS10_Server2019_Flags = DisableLegacyTls | DisableTls13OverTcp | DisableQuic, + + /// <summary> + /// Incompatibiliy between certain flags + /// </summary> + NotWithCentralSsl = DisableHttp2 | DisableOcspStapling | DisableQuic | DisableTls13OverTcp | DisableLegacyTls } } diff --git a/src/main.lib/Plugins/InstallationPlugins/IISWeb/IISWeb.cs b/src/main.lib/Plugins/InstallationPlugins/IISWeb/IISWeb.cs index 3a8b19e..9bad8c9 100644 --- a/src/main.lib/Plugins/InstallationPlugins/IISWeb/IISWeb.cs +++ b/src/main.lib/Plugins/InstallationPlugins/IISWeb/IISWeb.cs @@ -45,7 +45,7 @@ namespace PKISharp.WACS.Plugins.InstallationPlugins } else { - bindingOptions = bindingOptions.WithFlags(SSLFlags.CentralSSL); + bindingOptions = bindingOptions.WithFlags(SSLFlags.CentralSsl); } } else if (certificateStore != null) diff --git a/src/main.lib/wacs.lib.csproj b/src/main.lib/wacs.lib.csproj index b37b666..1484ca0 100644 --- a/src/main.lib/wacs.lib.csproj +++ b/src/main.lib/wacs.lib.csproj @@ -25,28 +25,28 @@ <ItemGroup> <PackageReference Include="Autofac" Version="4.9.4" /> <PackageReference Include="DnsClient" Version="1.2.0" /> - <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.0.0" /> - <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="3.0.0" /> - <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="3.0.0" /> - <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="3.0.0" /> + <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.0" /> + <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="3.1.0" /> + <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="3.1.0" /> + <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="3.1.0" /> <PackageReference Include="Microsoft.Web.Administration" Version="11.1.0" /> - <PackageReference Include="Microsoft.Win32.Registry" Version="4.6.0" /> + <PackageReference Include="Microsoft.Win32.Registry" Version="4.7.0" /> <PackageReference Include="Nager.PublicSuffix" Version="1.5.0" /> - <PackageReference Include="Portable.BouncyCastle" Version="1.8.5" /> + <PackageReference Include="Portable.BouncyCastle" Version="1.8.5.2" /> <PackageReference Include="Serilog" Version="2.9.0" /> <PackageReference Include="Serilog.Settings.AppSettings" Version="2.2.2" /> <PackageReference Include="Serilog.Settings.Configuration" Version="3.1.0" /> <PackageReference Include="Serilog.Sinks.Console" Version="3.1.1" /> <PackageReference Include="Serilog.Sinks.EventLog" Version="3.1.0" /> - <PackageReference Include="Serilog.Sinks.File" Version="4.0.0" /> + <PackageReference Include="Serilog.Sinks.File" Version="4.1.0" /> <PackageReference Include="SSH.NET" Version="2016.1.0" /> - <PackageReference Include="System.Configuration.ConfigurationManager" Version="4.6.0" /> - <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.6.0" /> + <PackageReference Include="System.Configuration.ConfigurationManager" Version="4.7.0" /> + <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.7.0" /> <PackageReference Include="System.Runtime.Loader" Version="4.3.0" /> - <PackageReference Include="System.Security.Cryptography.Cng" Version="4.6.0" /> - <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.6.0" /> + <PackageReference Include="System.Security.Cryptography.Cng" Version="4.7.0" /> + <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="4.7.0" /> <PackageReference Include="System.Security.Cryptography.X509Certificates" Version="4.3.2" /> - <PackageReference Include="TaskScheduler" Version="2.8.15" /> + <PackageReference Include="TaskScheduler" Version="2.8.18" /> <PackageReference Include="WebDav.Client" Version="2.3.1" /> </ItemGroup> |