-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support client cert negotation #33264
Conversation
49cee3c
to
2cfbc00
Compare
ee3b9ce
to
9b6878e
Compare
Ok, that last commit changed things around a bit. I realized that ClientCertificateMode.DelayCertificate didn't work if used in the SNI from config code path. I was able to flow it through the internal code paths as a tuple. Thoughts? |
I recommend refactoring these internals as part of #33452, but it shouldn't change the functionality in this PR. |
|
||
// Look for TLS connections that don't already have a client cert, and requests that could have a body. | ||
if (tlsFeature != null && tlsFeature.ClientCertificate == null && bodyFeature.CanHaveBody | ||
&& !connectionItems.Items.TryGetValue("tls.clientcert.negotiated", out var _)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not?
&& !connectionItems.Items.TryGetValue("tls.clientcert.negotiated", out var _)) | |
&& (tlsFeature is not ClientCertBufferingFeature)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ClientCertBufferingFeature gets stored in the HttpContext's FeatureCollection, not the connection's FeatureCollection. It's reverted before the next request. Items persist across requests.
if (ClientCertificate != null | ||
|| ClientCertificateMode != ClientCertificateMode.DelayCertificate | ||
// Delayed client cert negotiation is not allowed on HTTP/2 (or HTTP/3, but that's implemented elsewhere). | ||
|| _sslStream.NegotiatedApplicationProtocol == SslApplicationProtocol.Http2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a test to verify we aren't renegotiating when NegotiatedApplicationProtocol is HTTP/2?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in the HTTP/2 HttpClient interop tests. That's one of the only places we test HTTP/2 over TLS.
Thank you for submitting this for API review. This will be reviewed by @dotnet/aspnet-api-review at the next meeting of the ASP.NET Core API Review group. Please ensure you take a look at the API review process documentation and ensure that:
|
Awkward, the build passed but it never reported status here: @dotnet/aspnet-build would you be so kind as to merge this? |
Yeah, github reporting has been weird today |
Fixes #23948 @avparuch
Developers can now opt-in to using delayed client certificate negotiation via
ClientCertificateMode.DelayCertificate
on HttpsConnectionAdapterOptions. Note negotiation is always enabled if you're using the UseHttps overload that takes ServerOptionsSelectionCallback since there are no HttpsConnectionAdapterOptions passed there.System.InvalidOperationException: Received data during renegotiation.