Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertifiateAsync.
Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation will allow renegotiation to be triggered only by HttpContext.Connection.GetClientCertifiateAsync. HttpContext.Connection.ClientCertificate will return the current certificate if available, but will not renegotiate with the client to request one.
Reason for change
When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:
if (connection.ClientCertificate == null)
{
await BufferRequestBodyAsync();
await connection.GetClientCertificateAsync();
}
Recommended action
Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.
ClientCertificate property no longer triggers renegotiation for HttpSys
The
HttpContext.Connection.ClientCertificate
property will no longer trigger TLS renegotiations for HttpSys. See https://github.com/dotnet/aspnetcore/issues/34124 for discussion.Version introduced
6.0
Old behavior
Setting
HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation
allowed renegotiation to be triggered by bothHttpContext.Connection.ClientCertificate
andHttpContext.Connection.GetClientCertifiateAsync
.See https://github.com/aspnet/Announcements/issues/422 for related changes in 5.0.
New behavior
Setting
HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotation
will allow renegotiation to be triggered only byHttpContext.Connection.GetClientCertifiateAsync
.HttpContext.Connection.ClientCertificate
will return the current certificate if available, but will not renegotiate with the client to request one.Reason for change
When implementing the same features for Kestrel it became clear that applications needed to be able to check the state of the client certificate before triggering a renegotiation. This enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation:
Recommended action
Applications that use delayed client certificate negotiation need to call GetClientCertificateAsync() to trigger that.
Category
ASP.NET
Affected APIs
HttpSysOptions.ClientCertificateMethod HttpContext.Connection.ClientCertificate HttpContext.Connection.GetClientCertifiateAsync
Issue metadata