Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClientCertificate property no longer triggers renegotiation for HttpSys #466

Open
Tratcher opened this issue Jul 6, 2021 · 0 comments · Fixed by dotnet/docs#25227
Open

ClientCertificate property no longer triggers renegotiation for HttpSys #466

Tratcher opened this issue Jul 6, 2021 · 0 comments · Fixed by dotnet/docs#25227
Labels
6.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Milestone
6.0.0

Comments

@Tratcher
Copy link
Member

Tratcher commented Jul 6, 2021

ClientCertificate property no longer triggers renegotiation for HttpSys

The HttpContext.Connection.ClientCertificate property will no longer trigger TLS renegotiations for HttpSys. See dotnet/aspnetcore#34124 for discussion.

Version introduced

6.0

Old behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertifiateAsync.

See #422 for related changes in 5.0.

New behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation will allow renegotiation to be triggered only by HttpContext.Connection.GetClientCertifiateAsync. HttpContext.Connection.ClientCertificate will return the current certificate if available, but will not renegotiate with the client to request one.

Reason for change

When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:

if (connection.ClientCertificate == null)
{
  await BufferRequestBodyAsync();
  await connection.GetClientCertificateAsync();
}

Recommended action

Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.

Category

ASP.NET

Affected APIs

HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync

Issue metadata

  • Issue type: breaking-change
@aspnet aspnet locked as resolved and limited conversation to collaborators Jul 6, 2021
@Tratcher Tratcher added this to the 6.0.0 milestone Jul 6, 2021
@Rick-Anderson Rick-Anderson added the Documented The breaking change has been published to the .NET Core docs label Jul 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
6.0.0 Announcement Breaking change Documented The breaking change has been published to the .NET Core docs
Projects
None yet
Milestone
6.0.0
Development

Successfully merging a pull request may close this issue.

ClientCertificate breaking change gewarren/docs
2 participants
@Tratcher @Rick-Anderson