HttpSysServer is triggering a TLS renegotiation for client cert even if disabled in http.sys

[avparuch]

Describe the bug

Accessing the ClientCertificate property is triggering a TLS renegotiation on the HttpSysServer even though http.sys is configured properly not to request for client cert.

To Reproduce

Steps to reproduce the behavior:

1. Using this version of ASP.NET Core 2.2. Create a brand new solution in Visual Studio 2019. Use the HttpSysServer version of the .NET core project. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-3.0

2. Run this code if (HttpContext.Connection.ClientCertificate != null)

3. Purely because the ClientCertificateProperty is accessed, a TLS renegotiation is triggered and the user is prompted for a cert on the browser.

4. This is despite http.sys kernel mode driver being configured correctly not to request for clientcertificate. (netsh http add sslcert hostnameport=a.microsoftonline.com:443 certhash=EC9CA6E0E645AAB24F8AD890DF75A448824D2C37 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY clientcertnegotiation=disable).

Expected behavior

Other listeners on top of http.sys such as IIS do not exhibit this behavior, they respect the http.sys configuration. The expected behavior is to respect the http.sys configuration and not trigger renegotiation purely because the code is trying to check if the ClientCertificate is null or not.

Additional context

There is a closed issue already on this topic (the user did not provide a repro) : https://github.com/aspnet/HttpSysServer/issues/340

[Tratcher]

Challenges:

• This behavior has been there for 7+ years, going all the way back to Microsoft.Owin and maybe even HttpListener. Changing it is likely to break existing apps.
• We don't currently have a way to see what netsh configuration you've specified for clientcertnegotiation. I would have expected Http.Sys to reconcile this internally rather than renegotiate.

Proposal:

• Add an API on HttpSysOptions that allows you to opt out of this behavior for the ClientCertificate property. Calling GetCertificateAsync directly would probably keep the existing behavior.

[Tratcher]

Clarification on clientcertnegotiation: This netsh option only applies to the initial handshake. It does not apply to HttpReceiveClientCertificate which is what HttpListener and HttpSys call today.

The feature ask is the same though, wanting to be able to opt out of calling HttpReceiveClientCertificate, especially from the ClientCertificate property.