Skip to content

Make HttpSys client certificate behavior consistent #34012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 6, 2021
Merged

Make HttpSys client certificate behavior consistent #34012

merged 2 commits into from
Jul 6, 2021

Conversation

Tratcher
Copy link
Member

@Tratcher Tratcher commented Jul 1, 2021
edited
Loading

Fixes #33586 Now that we know more about the expected usage of the client cert APIs from our work on kestrel, this change brings HttpSys into alignment. The biggest change is that HttpSys' ClientCertificate property used to trigger a sync-over-async renegotiation. In a prior release we made renegotiation opt-in for both the property and the GetClientCertificateAsync method, and this change now removes it entirely for the ClientCertificate property. Anyone that wants renegotiation must opt in and use the GetClientCertificateAsync API. This enables the following usage pattern:

if (feature.ClientCertificate == null)
{
  await BufferRequestBodyAsync();
  await feature.GetClientCertificateAsync();
}

I also borrowed the test certificates from Kestrel so we could enable these tests on the CI.

@Tratcher Tratcher added this to the 6.0-preview7 milestone Jul 1, 2021
@Tratcher Tratcher self-assigned this Jul 1, 2021
@ghost ghost added the area-runtime label Jul 1, 2021
BrennanConroy
BrennanConroy approved these changes Jul 2, 2021
View reviewed changes
Copy link
Member

@BrennanConroy BrennanConroy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a prior release we made renegotiation opt-in for both the property and the GetClientCertificateAsync method, and this change now removes it entirely for the ClientCertificate property. Anyone that wants renegotiation must opt in and use the GetClientCertificateAsync API.

Does this need an announcement?

@Tratcher
Copy link
Member Author

Tratcher commented Jul 2, 2021
edited
Loading

Announcement draft:

ClientCertificate property no longer triggers renegotiation for HttpSys

The HttpContext.Connection.ClientCertificate property will no longer trigger TLS renegotiations for HttpSys.

Version introduced

6.0

Old behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertifiateAsync.

See aspnet/Announcements#422 for related changes in 5.0.

New behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation will allow renegotiation to be triggered only by HttpContext.Connection.GetClientCertifiateAsync. HttpContext.Connection.ClientCertificate will return the current certificate if available, but will not renegotiate with the client to request one.

Reason for change

When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:

if (connection.ClientCertificate == null)
{
  await BufferRequestBodyAsync();
  await connection.GetClientCertificateAsync();
}

Recommended action

Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.

Category

ASP.NET

Affected APIs

HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync

Issue metadata

  • Issue type: breaking-change

@Tratcher Tratcher merged commit a3d1956 into dotnet:main Jul 6, 2021
@Tratcher Tratcher deleted the tratcher/httpsysclientcert branch July 6, 2021 18:18
@Tratcher
Copy link
Member Author

Tratcher commented Jul 6, 2021

aspnet/Announcements#466

@Tratcher Tratcher mentioned this pull request Jul 9, 2021
Closed
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@wtgodbe wtgodbe Awaiting requested review from wtgodbe

Assignees

@Tratcher Tratcher

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
6.0-preview7
Development

Successfully merging this pull request may close these issues.

HttpSys ClientCertificate property renegotiates
3 participants
@Tratcher @BrennanConroy @amcasey