Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpSysServer is triggering a TLS renegotiation for client cert even if disabled in http.sys #14806

Closed
avparuch opened this issue Oct 7, 2019 · 2 comments
Closed

HttpSysServer is triggering a TLS renegotiation for client cert even if disabled in http.sys #14806

avparuch opened this issue Oct 7, 2019 · 2 comments
Assignees
@Tratcher
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions Done This issue has been fixed enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-httpsys
Milestone
3.1.0-preview2

Comments

@avparuch
Copy link
Contributor

avparuch commented Oct 7, 2019
edited

Describe the bug

Accessing the ClientCertificate property is triggering a TLS renegotiation on the HttpSysServer even though http.sys is configured properly not to request for client cert.

To Reproduce

Steps to reproduce the behavior:

  1. Using this version of ASP.NET Core 2.2. Create a brand new solution in Visual Studio 2019. Use the HttpSysServer version of the .NET core project. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-3.0

  2. Run this code if (HttpContext.Connection.ClientCertificate != null)

  3. Purely because the ClientCertificateProperty is accessed, a TLS renegotiation is triggered and the user is prompted for a cert on the browser.

  4. This is despite http.sys kernel mode driver being configured correctly not to request for clientcertificate. (netsh http add sslcert hostnameport=a.microsoftonline.com:443
    certhash=EC9CA6E0E645AAB24F8AD890DF75A448824D2C37 appid='{4dc3e181-e14b-4a21-b022-59fc669b0914}' certstorename=MY
    clientcertnegotiation=disable).

Expected behavior

Other listeners on top of http.sys such as IIS do not exhibit this behavior, they respect the http.sys configuration. The expected behavior is to respect the http.sys configuration and not trigger renegotiation purely because the code is trying to check if the ClientCertificate is null or not.

Additional context

There is a closed issue already on this topic (the user did not provide a repro) : aspnet/HttpSysServer#340
@Tratcher
Copy link
Member

Tratcher commented Oct 8, 2019

Challenges:

  • This behavior has been there for 7+ years, going all the way back to Microsoft.Owin and maybe even HttpListener. Changing it is likely to break existing apps.
  • We don't currently have a way to see what netsh configuration you've specified for clientcertnegotiation. I would have expected Http.Sys to reconcile this internally rather than renegotiate.

Proposal:

  • Add an API on HttpSysOptions that allows you to opt out of this behavior for the ClientCertificate property. Calling GetCertificateAsync directly would probably keep the existing behavior.

@Tratcher Tratcher self-assigned this Oct 8, 2019
@Tratcher Tratcher added this to the 3.1.0-preview2 milestone Oct 8, 2019
Tratcher added a commit that referenced this issue Oct 8, 2019
@Tratcher
Allow opt out of HttpSys client cert negotiation #14806
a0d2056
@Tratcher Tratcher mentioned this issue Oct 8, 2019
Merged
@Tratcher
Copy link
Member

Tratcher commented Oct 9, 2019

Clarification on clientcertnegotiation: This netsh option only applies to the initial handshake. It does not apply to HttpReceiveClientCertificate which is what HttpListener and HttpSys call today.

The feature ask is the same though, wanting to be able to opt out of calling HttpReceiveClientCertificate, especially from the ClientCertificate property.

@Tratcher Tratcher added the enhancement This issue represents an ask for new feature or an enhancement to an existing one label Oct 9, 2019
Tratcher added a commit that referenced this issue Oct 9, 2019
@Tratcher
Allow opt out of HttpSys client cert negotiation #14806 (#14839)
f3b0fbe
@Tratcher Tratcher added the Done This issue has been fixed label Oct 9, 2019
@Tratcher Tratcher closed this as completed Oct 9, 2019
@dotnet dotnet locked as resolved and limited conversation to collaborators Dec 2, 2019
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions Done This issue has been fixed enhancement This issue represents an ask for new feature or an enhancement to an existing one feature-httpsys
Projects
None yet
Milestone
3.1.0-preview2
Development

No branches or pull requests
4 participants
@Pilchie @Tratcher @amcasey @avparuch