ClientCertificate property no longer triggers renegotiation for HttpSys

The HttpContext.Connection.ClientCertificate property no longer triggers TLS renegotiations for HttpSys.

Version introduced

ASP.NET Core 6.0

Old behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation allowed renegotiation to be triggered by both HttpContext.Connection.ClientCertificate and HttpContext.Connection.GetClientCertificateAsync.

New behavior

Setting HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation allows renegotiation to be triggered only by HttpContext.Connection.GetClientCertificateAsync. HttpContext.Connection.ClientCertificate returns the current certificate if available, but does not renegotiate with the client to request the certificate.

Reason for change

When implementing the same features for Kestrel, it became clear that applications need to be able to check the state of the client certificate before triggering a renegotiation. For issues like the request body conflicting with the renegotiation, checking the state enables the following usage pattern to deal with the issue:

if (connection.ClientCertificate == null)
{
  await BufferRequestBodyAsync();
  await connection.GetClientCertificateAsync();
}

Recommended action

Apps that use delayed client-certificate negotiation should call GetClientCertificateAsync(CancellationToken) to trigger renegotiation.

Affected APIs

• Microsoft.AspNetCore.Server.HttpSys.HttpSysOptions.ClientCertificateMethod
• Microsoft.AspNetCore.Http.ConnectionInfo.ClientCertificate
• Microsoft.AspNetCore.Http.ConnectionInfo.GetClientCertificateAsync(CancellationToken)

See also

• dotnet/aspnetcore issue number 34124