From 4d7a79ad6475faeed17a355aad2a38eba3408314 Mon Sep 17 00:00:00 2001 From: Chris Ross Date: Fri, 19 Jun 2020 16:34:56 -0700 Subject: [PATCH] Change HttpSys default client cert mode to Allow Cert #14840 (#23162) --- src/Servers/HttpSys/src/FeatureContext.cs | 13 ++++++++++++- src/Servers/HttpSys/src/HttpSysOptions.cs | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/Servers/HttpSys/src/FeatureContext.cs b/src/Servers/HttpSys/src/FeatureContext.cs index 23e174344c..ab569e1bfa 100644 --- a/src/Servers/HttpSys/src/FeatureContext.cs +++ b/src/Servers/HttpSys/src/FeatureContext.cs @@ -333,7 +333,18 @@ namespace Microsoft.AspNetCore.Server.HttpSys { if (IsNotInitialized(Fields.ClientCertificate)) { - _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + var method = _requestContext.Server.Options.ClientCertificateMethod; + if (method != ClientCertificateMethod.NoCertificate) + { + // Check if a cert was already available on the connection. + _clientCert = Request.ClientCertificate; + } + + if (_clientCert == null && method == ClientCertificateMethod.AllowRenegotation) + { + _clientCert = await Request.GetClientCertificateAsync(cancellationToken); + } + SetInitialized(Fields.ClientCertificate); } return _clientCert; diff --git a/src/Servers/HttpSys/src/HttpSysOptions.cs b/src/Servers/HttpSys/src/HttpSysOptions.cs index 15e83d9fea..db95797980 100644 --- a/src/Servers/HttpSys/src/HttpSysOptions.cs +++ b/src/Servers/HttpSys/src/HttpSysOptions.cs @@ -55,11 +55,11 @@ namespace Microsoft.AspNetCore.Server.HttpSys public RequestQueueMode RequestQueueMode { get; set; } /// - /// Indicates how client certificates should be populated. The default is to allow renegotation. + /// Indicates how client certificates should be populated. The default is to allow a certificate without renegotiation. /// This does not change the netsh 'clientcertnegotiation' binding option which will need to be enabled for /// ClientCertificateMethod.AllowCertificate to resolve a certificate. /// - public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowRenegotation; + public ClientCertificateMethod ClientCertificateMethod { get; set; } = ClientCertificateMethod.AllowCertificate; /// /// The maximum number of concurrent accepts.