ClientCertificate property no longer triggers renegotiation for HttpSys #466
Labels
6.0.0
Announcement
Breaking change
Documented
The breaking change has been published to the .NET Core docs
Milestone
ClientCertificate property no longer triggers renegotiation for HttpSys
The
HttpContext.Connection.ClientCertificate
property will no longer trigger TLS renegotiations for HttpSys. See dotnet/aspnetcore#34124 for discussion.Version introduced
6.0
Old behavior
Setting
HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation
allowed renegotiation to be triggered by bothHttpContext.Connection.ClientCertificate
andHttpContext.Connection.GetClientCertifiateAsync
.See #422 for related changes in 5.0.
New behavior
Setting
HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation
will allow renegotiation to be triggered only byHttpContext.Connection.GetClientCertifiateAsync
.HttpContext.Connection.ClientCertificate
will return the current certificate if available, but will not renegotiate with the client to request one.Reason for change
When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:
Recommended action
Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.
Category
ASP.NET
Affected APIs
HttpSysOptions.ClientCertificateMethod
HttpContext.Connection.ClientCertificate
HttpContext.Connection.GetClientCertifiateAsync
Issue metadata
The text was updated successfully, but these errors were encountered: