Description
We are currently porting a library from .NET Framework 4.6.1 to .NET Core 2.1. This is in reference to #24726 , where the issue was Libcurl/LibreSSL and TLS. In 2.1. This was fixed using the new SocketsHttpHandler under the hood. Our next issue is to include the certificate chain in the request.
We are currently creating a handler like this:
HttpClientHandler handler = new HttpClientHandler();
var clientCertificates = new X509Certificate2Collection {ClientConfiguration.Certificate};
handler.ClientCertificates.AddRange(clientCertificates);
handler.ServerCertificateCustomValidationCallback = ValidateServerCertificateThrowIfInvalid;and using it in a client:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var client = HttpClientFactory.Create(
handler,
... some handlers excluded ...
);In .NET Framework this will result in a handshake with the client certificate and the whole chain up to and including the root certificate. This is not the case in .NET Core, where we only get the certificate itself, causing a server side error:
General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Manually diffing a OK request against a failing, quickly reveals that the biggest difference is that .NET Core is not including the certificate chain.
How can we include the chain in the request? All help is appreciated.