[HTTP/3] Suppress LocalCertificateSelectionCallback when QUIC is used

[ManickaP]

Fixes #56090

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes #56090

Author:	ManickaP
Assignees:	-
Labels:	area-System.Net.Http
Milestone:	-

[stephentoub]

This defaults to null. What's setting it to non-null?

[ManickaP]

AFAIU: HttpClientHandler.ClientCertificateOptions

[ManickaP]

And it gets set in default ctor of client handler:

runtime/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs

Line 48 in b823f14

ClientCertificateOptions = ClientCertificateOption.Manual;

[stephentoub]

I see, thanks. What happens when this isn't nulled out? If our QUIC implementation doesn't support a non-null LocalCertificateSelectionCallback, doesn't this mean we're making our tests pass even though all normal usage will fail?

[CarnaViire]

Before #55877 LocalCertificateSelectionCallback was just ignored silently, so I guess if something weird was passed in the callback we didn't catch it, if that's what you mean?

[CarnaViire]

I personally think that reverting might be safer because it's possible there were other things like this implicit LocalCertificateSelectionCallback... 🤔

[ManickaP]

Looking into the code, all this hidden HttpClientHandler LocalCertificateSelectionCallback does is selects a cert from ClientCertificates collection based on having private key and checking its extensions. And that first part is what we do in msquic (selecting the one with private key). So despite ignoring the callback, it might still work as excepted in most cases. But @wfurt would have to chime in here for more details, this the extent of my knowledge with certs.

[ManickaP]

The HttpClientHandler callback:

runtime/src/libraries/Common/src/System/Net/Security/CertificateHelper.cs

Lines 29 to 62 in 913facd

	internal static X509Certificate2? GetEligibleClientCertificate(X509Certificate2Collection candidateCerts)
	{
	if (candidateCerts.Count == 0)
	{
	return null;
	}
	foreach (X509Certificate2 cert in candidateCerts)
	{
	if (!cert.HasPrivateKey)
	{
	if (NetEventSource.Log.IsEnabled())
	{
	NetEventSource.Info(candidateCerts, $"Skipping current X509Certificate2 {cert.GetHashCode()} since it doesn't have private key. Certificate Subject: {cert.Subject}, Thumbprint: {cert.Thumbprint}.");
	}
	continue;
	}
	if (IsValidClientCertificate(cert))
	{
	if (NetEventSource.Log.IsEnabled())
	{
	NetEventSource.Info(candidateCerts, $"Choosing X509Certificate2 {cert.GetHashCode()} as the Client Certificate. Certificate Subject: {cert.Subject}, Thumbprint: {cert.Thumbprint}.");
	}
	return cert;
	}
	}
	if (NetEventSource.Log.IsEnabled())
	{
	NetEventSource.Info(candidateCerts, "No eligible client certificate found.");
	}
	return null;
	}

S.N.Quic code:

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 57 to 72 in 913facd

	if (options.ClientAuthenticationOptions.ClientCertificates != null)
	{
	foreach (var cert in options.ClientAuthenticationOptions.ClientCertificates)
	{
	try
	{
	if (((X509Certificate2)cert).HasPrivateKey)
	{
	// Pick first certificate with private key.
	certificate = cert;
	break;
	}
	}
	catch { }
	}
	}

It's not the same thing, but there are some some similarities...

[ManickaP]

But @stephentoub is right, new HttpClient + H/3 request will crash anyway. My hack mitigates this only in our tests.

[wfurt]

reverting #56097 was the right choice. Sorry for the mess, I'm not sure how I missed it. The problem with LocalCertificateSelectionCallback is that it is not supported by MsQuic. so We either need to go back to ignoring it or fix the tests.

[ManickaP]

This still will need follow up in our code, since HttpClientHandler uses LocalCertificateSelectionCallback internally in ClientCertificateOptions:

runtime/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs

Lines 244 to 275 in b823f14

	public ClientCertificateOption ClientCertificateOptions
	{
	get => _clientCertificateOptions;
	set
	{
	switch (value)
	{
	case ClientCertificateOption.Manual:
	#if TARGET_BROWSER
	_clientCertificateOptions = value;
	#else
	ThrowForModifiedManagedSslOptionsIfStarted();
	_clientCertificateOptions = value;
	_underlyingHandler.SslOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) => CertificateHelper.GetEligibleClientCertificate(ClientCertificates)!;
	#endif
	break;
	case ClientCertificateOption.Automatic:
	#if TARGET_BROWSER
	_clientCertificateOptions = value;
	#else
	ThrowForModifiedManagedSslOptionsIfStarted();
	_clientCertificateOptions = value;
	_underlyingHandler.SslOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) => CertificateHelper.GetEligibleClientCertificate()!;
	#endif
	break;
	default:
	throw new ArgumentOutOfRangeException(nameof(value));
	}
	}
	}

Thus it gets sets indirectly and user might not have a clue what set off the check.

@wfurt Do you have any ideas how to solve this somewhat nicely?

[ghost]

Hello @ManickaP!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

Do note that I've been instructed to only help merge pull requests of this repository that have been opened for at least 10 minutes, a condition that will be fulfilled in about 94 seconds. No worries though, I will be back when the time is right! 😉

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

[karelz]

Closing in favor of revert PR #56097, which has been merged -- see above discussion.