From 43e40ce3ec2fa55b0f9d1fdfa51f4b8c7ba30f39 Mon Sep 17 00:00:00 2001 From: Chris R Date: Fri, 19 Jun 2020 09:28:38 -0700 Subject: [PATCH] Change HttpSys default client cert mode to Allow Cert #14840 --- src/Servers/HttpSys/src/FeatureContext.cs | 13 ++++++++++++- src/Servers/HttpSys/src/HttpSysOptions.cs | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/Servers/HttpSys/src/FeatureContext.cs b/src/Servers/HttpSys/src/FeatureContext.cs index 23e174344ce3..ab569e1bfaf0 100644 --- a/src/Servers/HttpSys/src/FeatureContext.cs +++ b/src/Servers/HttpSys/src/FeatureContext.cs @@ -333,7 +333,18 @@ async Task ITlsConnectionFeature.GetClientCertificateAsync(Can { if (IsNotInitialized(Fields.ClientCertificate)) { - _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + var method = _requestContext.Server.Options.ClientCertificateMethod; + if (method != ClientCertificateMethod.NoCertificate) + { + // Check if a cert was already available on the connection. + _clientCert = Request.ClientCertificate; + } + + if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation) + { + _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + } + SetInitialized(Fields.ClientCertificate); } return _clientCert; diff --git a/src/Servers/HttpSys/src/HttpSysOptions.cs b/src/Servers/HttpSys/src/HttpSysOptions.cs index 15e83d9fea73..db9579798030 100644 --- a/src/Servers/HttpSys/src/HttpSysOptions.cs +++ b/src/Servers/HttpSys/src/HttpSysOptions.cs @@ -55,11 +55,11 @@ public string RequestQueueName public RequestQueueMode RequestQueueMode { get; set; } /// - /// Indicates how client certificates should be populated. The default is to allow renegotation. + /// Indicates how client certificates should be populated. The default is to allow a certificate without renegotiation. /// This does not change the netsh 'clientcertnegotiation' binding option which will need to be enabled for /// ClientCertificateMethod.AllowCertificate to resolve a certificate. /// - public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowRenegotation; + public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowCertificate; /// /// The maximum number of concurrent accepts.