Make HttpsConnectionFilter more configurable

[halter73]

• Support multiple certificates
  • Allow certs to be specified for a given port and/or IP address
  • Allow certs to be specified for a given hostname once SNI is supported
• Make allowed SslProtocols configurable
• Use the options pattern (e.g. Facebook Middleware) which takes a configureOptions Action.

[muratg]

Putting this in RC1 for now, though it may have to get punted.

[muratg]

Moving further out. Feel free to talk to me to bring this back. We'll just need to prioritize it with the rest of the work.

[halter73]

#385 makes SslProtocols configurable.

[Tratcher]

Blocked by https://github.com/dotnet/corefx/issues/9608

[VanCoding]

What we really need is a way to specify a function that returns the correct ssl certificate to use for a given hostname.

Both Node.js & Go have such an option.

The reason why specifying it statically is not sufficient is, that we may not always know which domains are going to be used for the server. Imagine a setup where a lot of customers use the same instance, but have different subdomains, like customer1.myapplication.com and customer2.myapplication.com, and where customers are created or deleted at runtime. In such a scenario, we don't even have the certificate for a customer created at runtime. The server would create one using Letsencrypt on the first request.

Right now, the only option we have for something like that is to use an expensive wildcard certificate.

[Tratcher]

@VanCoding that requires SNI, see dotnet/corefx#9608

[VanCoding]

@Tratcher Yes, I know. I just wanted to make sure that we make the most use of it as soon as they implement it :)

[jkotalik]

I believe this isn't relevant anymore.