Skip to content

[release/10.0] Add loopback addresses to the development certificate #64584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: release/10.0
Choose a base branch
from
Open

[release/10.0] Add loopback addresses to the development certificate #64584

wants to merge 3 commits into from

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 1, 2025
edited by danegsta
Loading

Backport of #64431 to release/10.0

/cc @danegsta

Add loopback addresses to the development certificate

Adds 127.0.0.1 and ::1 to the development certificate SAN

Description

Adds the IPv4 (127.0.01) and IPv6 (::1) loopback addresses to the development certificate Subject Alternative Names for the dev cert. This will allow the certificate to be used to secure services such as a SQL Server or Azurite container where there are client restrictions that require accessing the service by IP address instead of hostname.

Fixes #64430

Customer Impact

Aspire has started adding APIs to configure local services that aren't ASP.NET Core based to take advantage of the development certificate to provide TLS during local development, but we've found a couple cases where clients don't properly handle the localhost domain for local traffic and instead require using a loopback IP. The SQL Server connector is the worst problem; it specifically resolves localhost to the PUBLIC IP for the machine, not the loopback IP. This requires us to connect to local SQL Server containers using 127.0.0.1 (or ::1). The second case is the Azure Storage SDK, which treats ANY hostname (including localhost) as an external custom storage domain; the only way to connect to a local emulator in a .NET app is to use 127.0.0.1.

This change allows us to enable TLS for the SQL Server container image and the Azurite storage emulator using the development certificate and be compatible with the quirks of the client libraries that force using IP addresses for loopback traffic.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

[Justify the selection above]

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

When servicing release/2.3

  • Make necessary changes in eng/PatchConfig.props

@danegsta danegsta added the Servicing-consider Shiproom approval is required for the issue label Dec 1, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Dec 1, 2025

Hi @@github-actions[bot]. Please make sure you've updated the PR description to use the Shiproom Template. Also, make sure this PR is not marked as a draft and is ready-to-merge.

To learn more about how to prepare a servicing PR click here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DamianEdwards DamianEdwards Awaiting requested review from DamianEdwards

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Servicing-consider Shiproom approval is required for the issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danegsta