Implement client certificate authentication

[tmds]

Implement #332
Replaces #351

[dnfclas]

Hi @tmds, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution!
You've already signed the contribution license agreement. Thanks!

The agreement was validated by .NET Foundation and real humans are currently evaluating your PR.

TTYL, DNFBOT;

[tmds]

\cc @davidfowl @Tratcher @halter73

[tmds]

Should I remove this in favor of the HttpsConnectionFilterOptions overload?

[Tratcher]

Not yet. This will be the most common configuration.

[tmds]

Issues for coreclr support:

• https://github.com/dotnet/corefx/issues/4510
• https://github.com/dotnet/corefx/issues/4512

[benaadams]

I'm having a possibility related issue: https://github.com/dotnet/corefx/issues/4533

[Tratcher]

You can just store the Options object as a field rather than duplicating them all. E.g. https://github.com/aspnet/BasicMiddleware/blob/dev/src/Microsoft.AspNet.HttpOverrides/OverrideHeaderMiddleware.cs#L20

[Tratcher]

Implements some of https://github.com/aspnet/KestrelHttpServer/issues/241

[tmds]

It would be nicer if the code could use SslStream.RemoteCertificate instead of this variable. But RemoteCertificate isn't the same instance as the one passed to the validation callback. The validation callback gets an X509Certificate2 while RemoteCertificate is an X509Certificate.

[tmds]

@halter73 fyi, the client certificate is also working on coreclr.
One issue wasn't really an issue but an error by me (forgot to set HttpClient handler).
The other issue (converting X509Certificate to X509Certificates2) isn't causing a problem because the certificate passed to the validation callback is actually an X509Certificates2 so it can be casted.

[davidfowl]

@tmds can you rebase?

[cesarblum]

This fixes #365 👍

[cesarblum]

Could you add a test to check this?

[halter73]

[Tratcher]

nit, more spacing

[Tratcher]

[halter73]

Thanks "Master T" 😄

[tmds]

No problem. Thanks for your feedback.

[Dev8063]

@tmds @davidfowl @Tratcher

Question - Do we have full support for WCF services, configured in a web.config using X509 certificates? I've got myself upgraded to RC1, but my WCF calls no longer work. Is there any documentation I can use? Do I need to use something other than the web.config to configure my WCF endpoints? Can you point me in the right direction or do we not have support for what I'm trying to do?

Let me know what's going on:

Could not find endpoint element with name '' and contract '' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this name could be found in the client element.

[davidfowl]

Question - Do we have full support for WCF services, configured in a web.config using X509 certificates? I've got myself upgraded to RC1, but my WCF calls no longer work. Is there any documentation I can use? Do I need to use something other than the web.config to configure my WCF endpoints? Can you point me in the right direction or do we not have support for what I'm trying to do?

Not sure what you mean. ASP.NET 5 doesn't support WCF services.

[Dev8063]

@davidfowl Is there a way around this non-support for WCF services? I suppose we could programmatically load the endpoints. Would Kestrel work with that?

[Dev8063]

@davidfowl To Clarify, we just want to call WCF endpoints. We are not actually developing WCF endpoints on ASP.NET 5.

Can Kestrel support calling WCF endpoints with X509 certs (multiples)?

[benaadams]

@Dev8063 sounds like you want the coreclr client libraries over here: https://github.com/dotnet/wcf

[Dev8063]

@benaadams We're not to the point where our app runs off of dnxcore50 (i.e. the subset meant for cloud dev). Do these work with dnx451? I wouldn't see why they would not, but just thought I'd check.

[benaadams]

@Dev8063 you should be able to use regular libraries with the full framework; though you might want to ask in that repository or their glitter chat.