Change HttpSys default client cert mode to Allow Cert #14840 (#23162)

src/Servers/HttpSys/src/FeatureContext.cs

@@ -333,7 +333,18 @@ namespace Microsoft.AspNetCore.Server.HttpSys
         {
             if (IsNotInitialized(Fields.ClientCertificate))
             {
-                _clientCert = await Request.GetClientCertificateAsync(cancellationToken);
+                var method = _requestContext.Server.Options.ClientCertificateMethod;
+                if (method != ClientCertificateMethod.NoCertificate)
+                {
+                    // Check if a cert was already available on the connection.
+                    _clientCert = Request.ClientCertificate;
+                }
+
+                if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation)
+                {
+                    _clientCert = await Request.GetClientCertificateAsync(cancellationToken);
+                }
+
                 SetInitialized(Fields.ClientCertificate);
             }
             return _clientCert;

src/Servers/HttpSys/src/HttpSysOptions.cs

@@ -55,11 +55,11 @@ namespace Microsoft.AspNetCore.Server.HttpSys
         public RequestQueueMode RequestQueueMode { get; set; }
 
         /// <summary>
-        /// Indicates how client certificates should be populated. The default is to allow renegotation.
+        /// Indicates how client certificates should be populated. The default is to allow a certificate without renegotiation.
         /// This does not change the netsh 'clientcertnegotiation' binding option which will need to be enabled for
         /// ClientCertificateMethod.AllowCertificate to resolve a certificate.
         /// </summary>
-        public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowRenegotation;
+        public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowCertificate;
 
         /// <summary>
         /// The maximum number of concurrent accepts.