CODEWITHSUNDEEP
asp.net-web-apihttpclient
ambivi
ambivi

Reputation: 245

ClientCertificates in WebRequestHandler

I use HttpClient to talk to my WebAPI service. For SSL authentication, I set up the client certificates on the HttpClient using WebRequestHandler -

    private static WebRequestHandler CreateWebRequestHandler(List<X509Certificate2> clientCertificates)
    {
        WebRequestHandler handler = new WebRequestHandler();

        if (clientCertificates != null && clientCertificates.Any())
        {
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            clientCertificates.ForEach(cert => handler.ClientCertificates.Add(cert));
        }

        return handler;
    }

On the Service, I have a custom DelegatingHandler to validate the client certificates using thumbprint -

    protected override async Task<HttpResponseMessage> SendAsync(
        HttpRequestMessage request,
        CancellationToken cancellationToken)
    {          
      X509Certificate2 certificate = request.GetClientCertificate();
      // Code to validate certificate's Thumbprint with white listed thumbprints                    
    }

From the HttpRequest, I can get only one client certificate.

My question: Why does WebRequestHandler allow a collection of ClientCertificates to be set? Does it present all the client certificates to the server? If yes, then how do I get the list of client certificates in the DelegatingHandler?

Upvotes: 1

Views: 2052

Answers (1)

Oleg M
Oleg M

Reputation: 265

Actually, only one certificate is send to server by a client during TLS\SSL handshake which you are obtain on the Server. The process of choosing this certificate is well described here.

Briefly explanation is - the client will choose the best suitable certificate from X509CertificateCollection looking for a match between the list of certificate issuers provided by the server and the client certificate issuer name. The first certificate that matches is sent to the server. If no certificate matches or the certificate collection is empty, then an anonymous credential is sent to the server. The deeper mechanism of TLS\SSL work described in a good manner here

Upvotes: 2

Related Questions