Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change HttpSys default client cert mode to Allow Cert #23162

Merged
merged 1 commit into from Jun 19, 2020
Merged

Change HttpSys default client cert mode to Allow Cert #23162

merged 1 commit into from Jun 19, 2020

Conversation

Tratcher
Copy link
Member

#14840 TLS Renegotiation causes a number of problems so we added a non-breaking option in 3.1 to let you disable it. Now for 5.0 we're changing it to be disabled by default. I've also updated GetClientCertificateAsync to honor the same setting.

Verified manually, client certs rely on machine state.

@Tratcher Tratcher added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Jun 19, 2020
@Tratcher Tratcher added this to the 5.0.0-preview7 milestone Jun 19, 2020
@Tratcher Tratcher self-assigned this Jun 19, 2020
@ghost ghost added the area-servers label Jun 19, 2020
@Tratcher Tratcher linked an issue Jun 19, 2020 that may be closed by this pull request
Change HttpSys default client cert mode to Allow #14840
Closed
halter73
halter73 reviewed Jun 19, 2020
View reviewed changes
src/Servers/HttpSys/src/FeatureContext.cs
if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation)
{
_clientCert = await Request.GetClientCertificateAsync(cancellationToken);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did this method have to change if this PR is merely changing the default mode?

Does this mean that ITlsConnectionFeature.GetClientCertificateAsync() was broken before when ClientCertificateMethod.AllowCertificate was set? Would it previously allow renegotiation anyway? Should we backport this part of the change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the 3.1 fix we were primarily addressing complaints about ClientCertificate triggering IO, and sync-over-async at that. There haven't been complaints about GetClientCertificateAsync, it's rarely used. I'm changing it now more for consistency and efficiency.

@Tratcher Tratcher merged commit 4d7a79a into dotnet:master Jun 19, 2020
@Tratcher Tratcher deleted the tratcher/defaultcert branch June 19, 2020 23:35
This was referenced Jun 19, 2020
Closed
Open
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@halter73 halter73 halter73 approved these changes

@jkotalik jkotalik Awaiting requested review from jkotalik

Assignees

@Tratcher Tratcher

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions breaking-change This issue / pr will introduce a breaking change, when resolved / merged.
Projects
None yet
Milestone
5.0.0-preview7
Development

Successfully merging this pull request may close these issues.

Change HttpSys default client cert mode to Allow
3 participants
@Tratcher @halter73 @amcasey