StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POForcing ASP.NET WebAPI client to send a client certificate even when no CA match
text
Body
copied!<p>I have a specific application that requires the use of client certificates for mutual authentication of HTTPS requests. The server has a flexible certificate validation policy that allows it to accept self-signed client certificates that are not present in the server's certificate store. This is known to work just fine using curl as a client.</p> <p>What I've determined via testing and packet sniffing is that Microsoft's ASP.NET <code>HttpClient</code> tries to be overly smart during the SSL handshake. This particular client will only use a client certificate (from the <code>WebRequestHandler.ClientCertificates</code> collection) if it has chain of trust to one of the server's trusted roots. What I've observed is that if there are no certificates with chain of trust then the client simply won't send a certificate at all during the handshake.</p> <p>This is understandable default behavior but is overly restrictive and there appears to be no way to turn it off. I have experimented with various other <code>WebRequestHandler</code> properties, including <code>AuthenticationLevel</code> and <code>ClientCertificateOptions</code> but to no avail.</p> <p>Is there a way to force <code>HttpClient</code> to send a client certificate when it is available in the <code>ClientCertificates</code> collection, even though it appears that it will not validate on the server side? I'm open to both straightforward and dirty (reflection hacks) solutions as I really need this client to work.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload