From e2706a5c10dd1faf5cd4d273f651dbeb91802682 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Mon, 19 Jul 2021 16:05:20 -0700 Subject: [PATCH 1/2] clientcert breaking change --- docs/core/compatibility/6.0.md | 1 + .../aspnet-core/6.0/byte-array-interop.md | 13 +++++ ...ertificate-doesnt-trigger-renegotiation.md | 58 +++++++++++++++++++ docs/core/compatibility/toc.yml | 4 ++ 4 files changed, 76 insertions(+) create mode 100644 docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md diff --git a/docs/core/compatibility/6.0.md b/docs/core/compatibility/6.0.md index 8d760c636c99d..c9acb79ac450c 100644 --- a/docs/core/compatibility/6.0.md +++ b/docs/core/compatibility/6.0.md @@ -19,6 +19,7 @@ If you're migrating an app to .NET 6, the breaking changes listed here might aff - [Blazor: WebEventDescriptor.EventArgsType property replaced](aspnet-core/6.0/blazor-eventargstype-property-replaced.md) - [Blazor: Byte array interop](aspnet-core/6.0/byte-array-interop.md) - [Changed MessagePack library in @microsoft/signalr-protocol-msgpack](aspnet-core/6.0/messagepack-library-change.md) +- [ClientCertificate property doesn't trigger renegotiation for HttpSys](aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md) - [Kestrel: Log message attributes changed](aspnet-core/6.0/kestrel-log-message-attributes-changed.md) - [Microsoft.AspNetCore.Http.Features split](aspnet-core/6.0/microsoft-aspnetcore-http-features-package-split.md) - [Middleware: HTTPS Redirection Middleware throws exception on ambiguous HTTPS ports](aspnet-core/6.0/middleware-ambiguous-https-ports-exception.md) diff --git a/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md b/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md index bdc55d8477c1d..7381c01a6d1e6 100644 --- a/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md +++ b/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md @@ -57,3 +57,16 @@ For example, if you have the following code, then you _should_ provide a `Uint8A ```csharp var bytes = await _jsRuntime.InvokeAsync("someJSMethodReturningAByteArray"); ``` + + + diff --git a/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md b/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md new file mode 100644 index 0000000000000..9c592c0945824 --- /dev/null +++ b/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md @@ -0,0 +1,58 @@ +--- +title: "Breaking change: ClientCertificate property no longer triggers renegotiation for HttpSys" +description: "Learn about the breaking change in ASP.NET Core 6.0 where the ClientCertificate property no longer triggers renegotiation for HttpSys." +ms.date: 07/20/2021 +--- +# ClientCertificate property no longer triggers renegotiation for HttpSys + +The [`HttpContext.Connection.ClientCertificate`](xref:Microsoft.AspNetCore.Http.ConnectionInfo.ClientCertificate?displayProperty=nameWithType) property no longer triggers TLS renegotiations for HttpSys. + +## Version introduced + +ASP.NET Core 6.0 + +### Old behavior + +Setting `HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation` allowed renegotiation to be triggered by both `HttpContext.Connection.ClientCertificate` and `HttpContext.Connection.GetClientCertifiateAsync`. + +### New behavior + +Setting `HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowRenegotiation` allows renegotiation to be triggered only by `HttpContext.Connection.GetClientCertifiateAsync`. `HttpContext.Connection.ClientCertificate` returns the current certificate if available, but does not renegotiate with the client to request the certificate. + +## Reason for change + +When implementing the same features for Kestrel, it became clear that applications need to be able to check the state of the client certificate before triggering a renegotiation. Checking the state enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation: + +```csharp +if (connection.ClientCertificate == null) +{ + await BufferRequestBodyAsync(); + await connection.GetClientCertificateAsync(); +} +``` + +## Recommended action + +Apps that use delayed client-certificate negotiation should call to trigger renegotiation. + +## Affected APIs + +- +- +- + +## See also + +- [dotnet/aspnetcore issue number 34124](https://github.com/dotnet/aspnetcore/issues/34124) + + diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 41e145568554d..a836e8c138b6c 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -33,6 +33,8 @@ items: href: aspnet-core/6.0/blazor-eventargstype-property-replaced.md - name: "Blazor: Byte-array interop" href: aspnet-core/6.0/byte-array-interop.md + - name: ClientCertificate doesn't trigger renegotiation + href: aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md - name: "Kestrel: Log message attributes changed" href: aspnet-core/6.0/kestrel-log-message-attributes-changed.md - name: "MessagePack: Library changed in @microsoft/signalr-protocol-msgpack" @@ -401,6 +403,8 @@ items: href: aspnet-core/6.0/blazor-eventargstype-property-replaced.md - name: "Blazor: Byte-array interop" href: aspnet-core/6.0/byte-array-interop.md + - name: ClientCertificate doesn't trigger renegotiation + href: aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md - name: "Kestrel: Log message attributes changed" href: aspnet-core/6.0/kestrel-log-message-attributes-changed.md - name: "MessagePack: Library changed in @microsoft/signalr-protocol-msgpack" From 2a901c323527b37b513c50a5461c913db5258185 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Mon, 19 Jul 2021 16:13:24 -0700 Subject: [PATCH 2/2] tweaks --- docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md | 1 - .../6.0/clientcertificate-doesnt-trigger-renegotiation.md | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md b/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md index 7381c01a6d1e6..007360ad721fa 100644 --- a/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md +++ b/docs/core/compatibility/aspnet-core/6.0/byte-array-interop.md @@ -69,4 +69,3 @@ ASP.NET Core Not detectable via API analysis --> - diff --git a/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md b/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md index 9c592c0945824..d70291823bd00 100644 --- a/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md +++ b/docs/core/compatibility/aspnet-core/6.0/clientcertificate-doesnt-trigger-renegotiation.md @@ -2,6 +2,7 @@ title: "Breaking change: ClientCertificate property no longer triggers renegotiation for HttpSys" description: "Learn about the breaking change in ASP.NET Core 6.0 where the ClientCertificate property no longer triggers renegotiation for HttpSys." ms.date: 07/20/2021 +no-loc: [ Kestrel ] --- # ClientCertificate property no longer triggers renegotiation for HttpSys @@ -21,7 +22,7 @@ Setting `HttpSysOptions.ClientCertificateMethod = ClientCertificateMethod.AllowR ## Reason for change -When implementing the same features for Kestrel, it became clear that applications need to be able to check the state of the client certificate before triggering a renegotiation. Checking the state enables the following usage pattern to deal with issues like the request body conflicting with the renegotiation: +When implementing the same features for Kestrel, it became clear that applications need to be able to check the state of the client certificate before triggering a renegotiation. For issues like the request body conflicting with the renegotiation, checking the state enables the following usage pattern to deal with the issue: ```csharp if (connection.ClientCertificate == null)