Skip to content

Implement a fast lookup for wildcard certificates #2815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Implement a fast lookup for wildcard certificates #2815

wants to merge 7 commits into from

Conversation

@arontsang
Copy link

@arontsang arontsang commented Apr 4, 2025

No description provided.

@arontsang arontsang force-pushed the feature/fast-wildcard-certificate-lookup branch 3 times, most recently from 5540ac3 to d979058 Compare April 5, 2025 10:16
gfoidl
gfoidl reviewed May 9, 2025
View reviewed changes
Copy link
Member

@gfoidl gfoidl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: there are quite a few blank lines that could be removed too.

src/Kubernetes.Controller/Certificates/ImmutableCertificateCache.cs Outdated
Comment on lines 107 to 108
var charA = x[^i] & 0x5F;
var charB = y[^i] & 0x5F;
Copy link
Member

@gfoidl gfoidl May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You compare it backwards?
Is it better then, to write the loop backwards and have normal index access?

src/Kubernetes.Controller/Certificates/ImmutableCertificateCache.cs Outdated
Comment on lines 103 to 105
var length = Math.Min(x.Length, y.Length);

for (var i = 1; i <= length; i++)
Copy link
Member

@gfoidl gfoidl May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the JIT can't elide the bound-check for indexing into the spans.
I think it's better to slice the spans to the common (= min) length and use one span in the loop, in order to elide at least one bound check (the JIT should handle the downward loop (see other comment) in a recent version).

Roughly:

Suggested change
var length = Math.Min(x.Length, y.Length);
for (var i = 1; i <= length; i++)
if (x.Length < y.Length)
{
y = y.Slice(0, x.Length);
}
else if (y.Length < x.Length)
{
x = x.Slice(0, y.Length);
}
for (var i = x.Length; i >= 1; --i)

KLuuKer
KLuuKer reviewed Oct 28, 2025
View reviewed changes
src/Kubernetes.Controller/Certificates/ServerCertificateSelector.cs Outdated
_hasBeenUpdated = true;
}

public X509Certificate2 GetCertificate(ConnectionContext connectionContext, string domainName)
Copy link

@KLuuKer KLuuKer Oct 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

domainName CAN BE NULL!
when SNI is not available.

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.https.httpsconnectionadapteroptions.servercertificateselector?view=aspnetcore-9.0

Copy link
Author

@arontsang arontsang Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well poop, forgot about SNI. I would expect that everything supports SNI by now. But yes, get your point...sigh...

Copy link

@KLuuKer KLuuKer Nov 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would suggest skipping certificate lookups and immediately fallback to the default cert when string.IsNullOrEmpty
you WILL get this traffic anytime someone runs ssllabs server test, or some other kind of auditing tool
or for the handful of people running this on their own internal network and connecting with some kind of weird legacy system

Copy link
Author

@arontsang arontsang Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to handle non SNI TLS hand shake.

Copy link

@KLuuKer KLuuKer Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@KLuuKer
Copy link

KLuuKer commented Nov 11, 2025

If this pull also needs to work for the Kubernetes.Controller the following needs to be modified also

https://github.com/dotnet/yarp/blob/785e5fc80540baf3f34db17686d90cad595000a3/src/Kubernetes.Controller/Caching/IngressCache.cs#L100C9-L103C10

note: i don't work for MS but i have this code running right now with those lines patched out.
and from my limited testing (cloudflare strict certificate check) it seems to work.

@arontsang arontsang force-pushed the feature/fast-wildcard-certificate-lookup branch from e56abc3 to 0d20eac Compare November 11, 2025 06:37
@arontsang
Copy link
Author

arontsang commented Nov 12, 2025

If this pull also needs to work for the Kubernetes.Controller the following needs to be modified also

https://github.com/dotnet/yarp/blob/785e5fc80540baf3f34db17686d90cad595000a3/src/Kubernetes.Controller/Caching/IngressCache.cs#L100C9-L103C10

note: i don't work for MS but i have this code running right now with those lines patched out. and from my limited testing (cloudflare strict certificate check) it seems to work.

Thanks for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MihaZupan MihaZupan Awaiting requested review from MihaZupan MihaZupan is a code owner

@benjaminpetit benjaminpetit Awaiting requested review from benjaminpetit benjaminpetit is a code owner

2 more reviewers

@gfoidl gfoidl gfoidl left review comments

@KLuuKer KLuuKer KLuuKer approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arontsang @KLuuKer @gfoidl