remoteCertificate passed to LocalCertificateSelectionCallback is always null on Windows

[wfurt]

I bump to it while working on test for #52499. While the trusted CA list is populated on Windows the remoteCertificate is not.
We try but the call we use always fails with SEC_E_INVALID_HANDLE. I confirmed with experts that the call cannot be used until handshake is done. We use same method and credentials to get the certificate after completed handshake and it works as expected. e.g. there is nothing wrong with the method or the credential handle.

It seems like there may be way how to get the certificate but it will need some exploration and more testing.

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

I bump to it while working on test for #52499. While the trusted CA list is populated on Windows the emoteCertificate is not.
We try but the call we use always fails with SEC_E_INVALID_HANDLE. I confirmed with experts that the call cannot be used until handshake is done. We use same method and credentials to get the certificate after completed handshake and it works as expected. e.g. there is nothing wrong with the method or the credential handle.

It seems like there may be way how to get the certificate but it will need some exploration and more testing.

Author:	wfurt
Assignees:	-
Labels:	area-System.Net.Security, os-windows
Milestone:	-

[karelz]

Triage: We need to call different function in Schannel to get the remoteCertificate before the handshake is done.
Not urgent.

[rzikm]

So far, I was unable to find alternative API, however, I have some notes:

• Chromium faced related problem(need to get server cert before handshake finishes), and they "solved" id by ditching SChannel in favor of BoringSSL
• All examples on the internet I could find used the same API as we do, but they waited until after the handshake is completed.

Can we ask the Schannel guys to point us to the appropriate API, @wfurt? because the only way I see to solve this is to manually parse the cert from the incoming data.

[wfurt]

we should use SECPKG_ATTR_REMOTE_CERT_CHAIN IMHO. If I remember right I did quick try while back and it did not fail event when called during handshake.
There is also newer API we can use as fallback but that would work only on some supported Windows versions ... but that may be good enough.