Change Kestrel's HTTPS endpoint defaults to improve developer experience #42016
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
breaking-change
This issue / pr will introduce a breaking change, when resolved / merged.
feature-kestrel
Milestone
Related to [EPIC] Revisiting HTTPS defaults in ASP.NET Core
Background
Today, when Kestrel is starting, if no endpoint configuration is provided, e.g. via the
ASPNETCORE_URLS
env (docs), then Kestrel will fallback to a set of default endpoint configuration. These defaults are "http://localhost:5000" and "https://localhost:5001".In the case of the default HTTPS binding (https://localhost:5001) Kestrel will eagerly bind using the ASP.NET Core HTTPS developer certificate if it's found in the default personal certificate store. This occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.
Example flow that can lead to experience issues:
MyApp$ dotnet new webapp
MyApp$ dotnet build
MyApp$ ./bin/Debug/net7.0/MyApp
$ curl http://localhost:5000
Changes
launchSettings.json
in the project templates) and the developer certificate is used, and the developer certificate is not trusted as a root authorityThese changes will not impact the experience when using dev inner-loop focused launch tools like VS or
dotnet run
as they utilize the URLs configuration in thelaunchSettings.json
file.It's likely this behavior change could break some of our tests that assume the app will be launched at https://localhost:5001 and emit a message to console out, e.g. example.
@davidfowl @Tratcher @javiercn
The text was updated successfully, but these errors were encountered: