You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both a Client Certificate and a Client Key are needed to perform Mutual Authentication
X509Certificate2 allows loading a PEM encoded certificate from CertificateFile, but the X509Certificate2.HasPrivateKey property will be false. The SSL connection will still succeed, but will not be mutually authenticated - SslStream.IsMutuallyAuthenticated will be false. To the user, this is unexpected behavior; when they provide a Client Certificate and the connection succeeds, they would assume the connection is using Mutual Authentication.
Loading separate Certificate and Key files has spotty support - it is possible in netstandard2.0 but not elegant: https://github.com/dotnet/corefx/issues/17892. If we wanted to support it, it'd probably be better to find a third-party library (BouncyCastle?) that handles loading and validating certificates in different formats.
I think that the best path forward that does not involve adding dependencies would be to only allow pkcs12 (.pfx) certificates with a bundled Certificate and Private Key in the CertificateFile.
The text was updated successfully, but these errors were encountered:
Sounds good. Is the backwards compatibility workaround (for consumers that are currently using CertificateFile with a PEM file) to just remove that option from the connection string (i.e., if there's no private key, it doesn't do anything anyway)? (That is, there's no need to add another DisableMutualAuthentication=true connection string option to be backwards-compatible?)
Is the backwards compatibility workaround (for consumers that are currently using CertificateFile with a PEM file) to just remove that option from the connection string
Both a Client Certificate and a Client Key are needed to perform Mutual Authentication
X509Certificate2
allows loading a PEM encoded certificate from CertificateFile, but the X509Certificate2.HasPrivateKey property will be false. The SSL connection will still succeed, but will not be mutually authenticated - SslStream.IsMutuallyAuthenticated will befalse
. To the user, this is unexpected behavior; when they provide a Client Certificate and the connection succeeds, they would assume the connection is using Mutual Authentication.Loading separate Certificate and Key files has spotty support - it is possible in
netstandard2.0
but not elegant: https://github.com/dotnet/corefx/issues/17892. If we wanted to support it, it'd probably be better to find a third-party library (BouncyCastle?) that handles loading and validating certificates in different formats.I think that the best path forward that does not involve adding dependencies would be to only allow pkcs12 (.pfx) certificates with a bundled Certificate and Private Key in the
CertificateFile
.The text was updated successfully, but these errors were encountered: