Description
HttpSys client certificate renegotiation disabled by default
The option to renegotiate a connection and request a client certificate has been disabled by default.
See dotnet/aspnetcore#23181 for discussion.
Version introduced
5.0
Old behavior
The connection could be renegotiated to request a client certificate.
New behavior
Client certificates can only be requested during the initial connection handshake. See dotnet/aspnetcore#23162.
Reason for change
Renegotiation caused a number of performance and deadlock issues. It's also not supported in HTTP/2. See dotnet/aspnetcore#14806 for when the option to control this behavior was first introduced in 3.1.
Recommended action
Applications that require client certificates should use netsh.exe to set the clientcertnegotiation option to enabled. See https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http
If you only want client certificates enabled for some parts of your application then see the guidance at https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1#optional-client-certificates.
If you need the old renegotiate behavior then set HttpSysOptions.ClientCertificateMethod to the old value ClientCertificateMethod.AllowRenegotiate. This is not recommended for the reasons outlined above and in the linked guidance.
Category
ASP.NET
Affected APIs
HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync
Issue metadata
- Issue type: breaking-change