App Service client certificate support seems bugged and insecure

[Neutrino-Sunset]

In an App Service you can enable support for client certificates. There are 4 client certificate modes. Required, Optional, Allowed and Ignore.

The documentation only shows three options because it's out of date. That's the first issue.

If you set the client certificate mode to Require then what happens is that the Azure load balancer (which is where the TLS connection is terminated) performs a proper mutual TLS handshake. It requests the client certificate, and by the process of using the client certificate's public key to decrypt a random number that the server passed to the client it verifies that the client has the private key for the client certificate.

Azure then forwards the client certificate to the App Service where the application can make whatever other validity checks it likes.

That's all good. It's the other modes Optional and Allow that are the problem.

In these modes the Azure load balancer does not perform a mutual TLS handshake. I'm not even sure how it gets the certificate since it doesn't request it in the TLS handshake. But the client can pass a certificate that it doesn't even have the private key for and Azure will happily pass that to the App Service.

This strikes me as incredibly insecure. The load balancer passing a certificate that it hasn't even verified that the client has the private key to affords exactly zero security. Any kind of validity checks that the App Service performs in this context are completely pointless as it would be validating a certificate that the client might not even own.

The fact that the documentation makes no mention whatsoever of the completely different way that Azure handles these different certificate modes gives a completely false sense of security and is potentially leaving the unwary wide open to attack.

Hopefully I've misunderstood how this works.

More details in the SO post
https://stackoverflow.com/questions/76481919/azure-app-service-what-does-client-certificate-mode-allow-or-optional-actually

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: eb440603-950a-c224-f6c9-222ca502d5a5
• Version Independent ID: 0b5c4944-0327-91fc-2b0b-c19a1b873b64
• Content: Configure TLS mutual authentication - Azure App Service
• Content Source: articles/app-service/app-service-web-configure-tls-mutual-auth.md
• Service: app-service
• GitHub Login: @cephalin
• Microsoft Alias: cephalin

[Grace-MacJones-MSFT]

Hi @Neutrino-Sunset , thanks for bringing this to our attention. Your feedback has been shared with the content owner for further review. cc: @cephalin

[Neutrino-Sunset]

Update. If using the App Service setting Client certificate mode: Require and you set any Certificate exclusion paths then the App Service also doesn't appear to perform an mTLS handshake.

Note missing Certificate Request in Server Hello

I could really do with an update on this. We are building significant infrastructure around client certificate authentication and yet for months now I've been unable to get any assurance from the Azure team as to whether their implementation of client certificate auth even works at all.