[Announcement] HttpSys client certificate renegotiation disabled by default

[Tratcher]

HttpSys client certificate renegotiation disabled by default

The option to renegotiate a connection and request a client certificate has been disabled by default.

Version introduced

5.0

Old behavior

The connection could be renegotiated to request a client certificate.

New behavior

Client certificates can only be requested during the initial connection handshake. See #23162.

Reason for change

Renegotiation caused a number of performance and deadlock issues. It's also not supported in HTTP/2. See #14806 for when the option to control this behavior was first introduced in 3.1.

Recommended action

Applications that require client certificates should use netsh.exe to set the clientcertnegotiation option to enabled. See https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-http

If you only want client certificates enabled for some parts of your application then see the guidance at https://docs.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-3.1#optional-client-certificates.

If you need the old renegotiate behavior then set HttpSysOptions.ClientCertificateMethod to the old value ClientCertificateMethod.AllowRenegotiate. This is not recommended for the reasons outlined above and in the linked guidance.

Category

ASP.NET

Affected APIs

HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync

---

Issue metadata

• Issue type: breaking-change

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!