Description
ClientCertificate property no longer triggers renegotiation for HttpSys
The HttpContext.Connection.ClientCertificate property will no longer trigger TLS renegotiations for HttpSys. See dotnet/aspnetcore#34124 for discussion.
Version introduced
6.0
Old behavior
Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertifiateAsync.
See #422 for related changes in 5.0.
New behavior
Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation will allow renegotiation to be triggered only by HttpContext.Connection.GetClientCertifiateAsync. HttpContext.Connection.ClientCertificate will return the current certificate if available, but will not renegotiate with the client to request one.
Reason for change
When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:
if (connection.ClientCertificate == null)
{
await BufferRequestBodyAsync();
await connection.GetClientCertificateAsync();
}
Recommended action
Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.
Category
ASP.NET
Affected APIs
HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync
Issue metadata
- Issue type: breaking-change