allow late certificate with disabled renegotiation #53719
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation: In the past we did not have API to trigger renegotiation so the
AllowRenegotiation
property really controlled behavior when renegotiation was requested by remote peer. HTTP/2 explicitly prohibits it so Kestrel would set it tofalse
any time when HTTP/2 is possibility. However there is no way how to turn it back on when HTTP/1 is negotiated. That can break the late certificate per specific URL even if HTTP/1 is negotiated.With this change, we would allow renegotiation if explicitly requested on server side using
NegotiateClientCertificateAsync()
. Note, that this is only during that particular call e.g. whenNegotiateClientCertificateAsync
is finished we would again respect the properly and block renegotiation requested by peer as we used to. That should make intro with HTTP/2 easier. Since SslStream does not really care about application protocols it is up to the caller to decide if this is appropriate e.g. if HTTP/2 is used or not. (TLS RFC does not care)contributes to #49346
cc: @Tratcher