ClientCertificate property no longer triggers renegotiation for HttpSys
The HttpContext.Connection.ClientCertificate property no longer triggers TLS renegotiations for HttpSys.
Version introduced
ASP.NET Core 6.0
Old behavior
Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertificateAsync.
New behavior
Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation allows renegotiation to be triggered only by HttpContext.Connection.GetClientCertificateAsync. HttpContext.Connection.ClientCertificate returns the current certificate if available, but does not renegotiate with the client to request the certificate.
Reason for change
When implementing the same features for Kestrel, it became clear that applications need to be able to check the state of the client certificate before triggering a renegotiation. For issues like the request body conflicting with the renegotiation, checking the state enables the following usage pattern to deal with the issue:
if (connection.ClientCertificate == null)
{
await BufferRequestBodyAsync();
await connection.GetClientCertificateAsync();
}
Recommended action
Apps that use delayed client-certificate negotiation should call GetClientCertificateAsync(CancellationToken) to trigger renegotiation.
Affected APIs
- Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions.ClientCertificateMethod
- Microsoft.AspNetCore.Http.ConnectionInfo.ClientCertificate
- Microsoft.AspNetCore.Http.ConnectionInfo.GetClientCertificateAsync(CancellationToken)
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for