Skip to content

[release/10.0] Add loopback addresses to the development certificate #64584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wtgodbe merged 3 commits into from
Dec 4, 2025
Merged

[release/10.0] Add loopback addresses to the development certificate #64584

wtgodbe merged 3 commits into from
Dec 4, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 1, 2025
edited by danegsta
Loading

Backport of #64431 to release/10.0

/cc @danegsta

Add loopback addresses to the development certificate

Adds 127.0.0.1 and ::1 to the development certificate SAN

Description

Adds the IPv4 (127.0.01) and IPv6 (::1) loopback addresses to the development certificate Subject Alternative Names for the dev cert. This will allow the certificate to be used to secure services such as a SQL Server or Azurite container where there are client restrictions that require accessing the service by IP address instead of hostname.

Fixes #64430

Customer Impact

Aspire has started adding APIs to configure local services that aren't ASP.NET Core based to take advantage of the development certificate to provide TLS during local development, but we've found a couple cases where clients don't properly handle the localhost domain for local traffic and instead require using a loopback IP. The SQL Server connector is the worst problem; it specifically resolves localhost to the PUBLIC IP for the machine, not the loopback IP. This requires us to connect to local SQL Server containers using 127.0.0.1 (or ::1). The second case is the Azure Storage SDK, which treats ANY hostname (including localhost) as an external custom storage domain; the only way to connect to a local emulator in a .NET app is to use 127.0.0.1.

This change allows us to enable TLS for the SQL Server container image and the Azurite storage emulator using the development certificate and be compatible with the quirks of the client libraries that force using IP addresses for loopback traffic.

Regression?

  • Yes
  • No

[If yes, specify the version the behavior has regressed from]

Risk

  • High
  • Medium
  • Low

[Justify the selection above]

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

When servicing release/2.3

  • Make necessary changes in eng/PatchConfig.props

@danegsta danegsta added the Servicing-consider Shiproom approval is required for the issue label Dec 1, 2025
@rbhanda rbhanda added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Dec 4, 2025
@rbhanda rbhanda added this to the 10.0.2 milestone Dec 4, 2025
@wtgodbe wtgodbe merged commit 0270a6e into release/10.0 Dec 4, 2025
28 checks passed
@wtgodbe wtgodbe deleted the backport/pr-64431-to-release/10.0 branch December 4, 2025 23:58
@dotnet-policy-service dotnet-policy-service bot modified the milestone: 10.0.2 Dec 4, 2025
@dotnet-maestro dotnet-maestro bot mentioned this pull request Dec 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wtgodbe wtgodbe wtgodbe approved these changes

@DamianEdwards DamianEdwards Awaiting requested review from DamianEdwards

Assignees

No one assigned

Labels

Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

10.0.2

Development

Successfully merging this pull request may close these issues.

4 participants

@wtgodbe @rbhanda @danegsta