diff --git a/src/Servers/HttpSys/src/FeatureContext.cs b/src/Servers/HttpSys/src/FeatureContext.cs index 23e174344ce3..ab569e1bfaf0 100644 --- a/src/Servers/HttpSys/src/FeatureContext.cs +++ b/src/Servers/HttpSys/src/FeatureContext.cs @@ -333,7 +333,18 @@ async Task ITlsConnectionFeature.GetClientCertificateAsync(Can { if (IsNotInitialized(Fields.ClientCertificate)) { - _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + var method = _requestContext.Server.Options.ClientCertificateMethod; + if (method != ClientCertificateMethod.NoCertificate) + { + // Check if a cert was already available on the connection. + _clientCert = Request.ClientCertificate; + } + + if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation) + { + _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + } + SetInitialized(Fields.ClientCertificate); } return _clientCert; diff --git a/src/Servers/HttpSys/src/HttpSysOptions.cs b/src/Servers/HttpSys/src/HttpSysOptions.cs index 15e83d9fea73..db9579798030 100644 --- a/src/Servers/HttpSys/src/HttpSysOptions.cs +++ b/src/Servers/HttpSys/src/HttpSysOptions.cs @@ -55,11 +55,11 @@ public string RequestQueueName public RequestQueueMode RequestQueueMode { get; set; } /// - /// Indicates how client certificates should be populated. The default is to allow renegotation. + /// Indicates how client certificates should be populated. The default is to allow a certificate without renegotiation. /// This does not change the netsh 'clientcertnegotiation' binding option which will need to be enabled for /// ClientCertificateMethod.AllowCertificate to resolve a certificate. /// - public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowRenegotation; + public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowCertificate; /// /// The maximum number of concurrent accepts.