diff --git a/src/Servers/HttpSys/src/FeatureContext.cs b/src/Servers/HttpSys/src/FeatureContext.cs
index 23e174344c..ab569e1bfa 100644
--- a/src/Servers/HttpSys/src/FeatureContext.cs
+++ b/src/Servers/HttpSys/src/FeatureContext.cs
@@ -333,7 +333,18 @@ namespace Microsoft.AspNetCore.Server.HttpSys
{
if (IsNotInitialized(Fields.ClientCertificate))
{
- _clientCert = await Request.GetClientCertificateAsync(cancellationToken);
+ var method = _requestContext.Server.Options.ClientCertificateMethod;
+ if (method != ClientCertificateMethod.NoCertificate)
+ {
+ // Check if a cert was already available on the connection.
+ _clientCert = Request.ClientCertificate;
+ }
+
+ if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation)
+ {
+ _clientCert = await Request.GetClientCertificateAsync(cancellationToken);
+ }
+
SetInitialized(Fields.ClientCertificate);
}
return _clientCert;
diff --git a/src/Servers/HttpSys/src/HttpSysOptions.cs b/src/Servers/HttpSys/src/HttpSysOptions.cs
index 15e83d9fea..db95797980 100644
--- a/src/Servers/HttpSys/src/HttpSysOptions.cs
+++ b/src/Servers/HttpSys/src/HttpSysOptions.cs
@@ -55,11 +55,11 @@ namespace Microsoft.AspNetCore.Server.HttpSys
public RequestQueueMode RequestQueueMode { get; set; }
///
- /// Indicates how client certificates should be populated. The default is to allow renegotation.
+ /// Indicates how client certificates should be populated. The default is to allow a certificate without renegotiation.
/// This does not change the netsh 'clientcertnegotiation' binding option which will need to be enabled for
/// ClientCertificateMethod.AllowCertificate to resolve a certificate.
///
- public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowRenegotation;
+ public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowCertificate;
///
/// The maximum number of concurrent accepts.