HttpSysServer is triggering a TLS renegotiation for client cert even if disabled in http.sys #14806
Labels
area-networking
Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Done
This issue has been fixed
enhancement
This issue represents an ask for new feature or an enhancement to an existing one
feature-httpsys
Milestone
Describe the bug
Accessing the ClientCertificate property is triggering a TLS renegotiation on the HttpSysServer even though http.sys is configured properly not to request for client cert.
To Reproduce
Steps to reproduce the behavior:
Using this version of ASP.NET Core 2.2. Create a brand new solution in Visual Studio 2019. Use the HttpSysServer version of the .NET core project. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-3.0
Run this code if (HttpContext.Connection.ClientCertificate != null)
Purely because the ClientCertificateProperty is accessed, a TLS renegotiation is triggered and the user is prompted for a cert on the browser.
This is despite http.sys kernel mode driver being configured correctly not to request for clientcertificate. (netsh http add sslcert hostnameport=a.microsoftonline.com:443
certhash=EC9CA6E0E645AAB24F8AD890DF75A448824D2C37 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
clientcertnegotiation=disable).
Expected behavior
Other listeners on top of http.sys such as IIS do not exhibit this behavior, they respect the http.sys configuration. The expected behavior is to respect the http.sys configuration and not trigger renegotiation purely because the code is trying to check if the ClientCertificate is null or not.
Additional context
There is a closed issue already on this topic (the user did not provide a repro) : aspnet/HttpSysServer#340
The text was updated successfully, but these errors were encountered: