BlockPageApp: fix three bugs in Online Certificate Signing#1897
Open
Hemsby wants to merge 2 commits intoTechnitiumSoftware:developfrom
Open
BlockPageApp: fix three bugs in Online Certificate Signing#1897Hemsby wants to merge 2 commits intoTechnitiumSoftware:developfrom
Hemsby wants to merge 2 commits intoTechnitiumSoftware:developfrom
Conversation
Member
|
Thanks for the PR. Will test this soon. |
Pass CA cert as additional cert in SslStreamCertificateContext so the full chain is included in the TLS handshake for per-domain certs. Previously null was passed, causing chain validation failures on clients that did not already have the CA cached. Clamp certNotBefore to the CA cert NotBefore. The code backdates per-domain certs by 30 minutes for clock skew tolerance, but if the CA was created within the last 30 minutes this fell before the CA own NotBefore and threw ArgumentException, silently falling back to serving the CA cert as the server cert for up to 30 minutes. Use X509SignatureGenerator overload of CertificateRequest.Create so that ECC and ECDSA CA certs are supported. The previous overload required the CA and CSR to use the same key algorithm, so any ECC CA failed with ArgumentException.
Hemsby
force-pushed
the
fix/block-page-online-cert-signing
branch
from
6a36a30 to
221df63
Compare
…wwwroot
When serveBlockPageFromWebServerRoot is enabled, requests to / and /index.html
were served directly by the static files middleware, bypassing ServeDefaultPageAsync
entirely so {BLOCKING-INFO} was never substituted and the raw placeholder appeared
in the page.
Fix: an interceptor middleware registered before UseStaticFiles catches GET requests
to / and /index.html and routes them through ServeDefaultPageAsync, which now reads
the content from the wwwroot index.html file on disk before performing the substitution.
The default wwwroot/index.html example is updated to include {BLOCKING-INFO} so users
customising the block page can see how to use it.
Author
|
Added an enhancement also, so {BLOCKING-INFO} can be used to show the Blocked reason etc on custom HTML. |
Anutrix
reviewed
May 5, 2026
| <body> | ||
| <h1>Website Blocked</h1> | ||
| <p>This website has been blocked by your network administrator.</p> | ||
| {BLOCKING-INFO} |
There was a problem hiding this comment.
Suggested change
| {BLOCKING-INFO} | |
| {BLOCKING-INFO} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the three bugs reported in #1896.
Missing intermediate certificate in TLS handshake
When a per-domain cert is generated and cached, the
SslStreamCertificateContextwas created withnullfor the additional certificates, meaning the signing CA was never included in the TLS handshake. Clients that did not already have the CA cached would get a chain validation error. The CA cert is now passed as the additional certs collection so browsers receive the full chain.notBeforenot clamped to CA ownNotBeforeThe code backdates generated certs by 30 minutes for clock skew tolerance. If the CA cert was created within the last 30 minutes, this fell before the CA own
NotBeforeand .NET threwArgumentException: The requested notBefore value is earlier than issuerCertificate.NotBefore. The exception was caught and logged but the app silently fell back to serving the CA cert directly as the server cert for up to 30 minutes.certNotBeforeis now clamped toMax(UtcNow - 30min, caCert.NotBefore).ECC and ECDSA CA certs not supported
CertificateRequest.Create(X509Certificate2, ...)requires the CA key algorithm to match the CSR algorithm. Since the CSR is always RSA 2048, any ECC CA failed withArgumentException: The issuer certificate public key algorithm does not match. TheX509SignatureGeneratoroverload is now used, which supports both RSA and ECC CA certs.Both the self-signed cert path (
webServerUseSelfSignedTlsCertificate: true) and the custom CA path are covered by these changes.