HttpSys ClientCertificate property renegotiates #33586
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
bug
This issue describes a behavior which is not expected - a bug.
feature-httpsys
help wanted
Up for grabs. We would accept a PR to help resolve this issue
Milestone
ITlsConnectionFeature.ClientCertificate is used to get the client certificate for the current connection. ITlsConnectionFeature.GetClientCertificateAsync is used to renegotiate the TLS session to request a certificate if you don't already have one. HttpSys has had a behavior in the past where it triggered the renegotiate even from the ClientCertificate property. ClientCertificateMethod.AllowRenegotation was added to control that, but it also disables it for GetClientCertificateAsync.
When implementing GetClientCertificateAsync renegotiation for Kestrel it became clear that the pattern developers want is for ClientCertificate to return the current certificate, if any, and for GetClientCertificateAsync to renegotiate for a cert if enabled. This allows them to do conditional logic like buffer the request body before starting the renegotiation.
Proposal: Remove the renegotiate logic from the ClientCertificate property and clean up the SetInitialized logic so that GetClientCertificateAsync can still renegotiate after ClientCertificate is called.
aspnetcore/src/Servers/HttpSys/src/RequestProcessing/RequestContext.FeatureCollection.cs
Lines 325 to 328 in 4f2214a
The text was updated successfully, but these errors were encountered: