Invalid client certificates and AWS API Gateway

[AlphaGit]

Hi there! I've been debugging for a while since I was not able to get my SSL Client Certificates to be available in my HttpContext.Connection.ClientCertificate.

I've come across #26531 which explains why some certificates are not included at all in the request information.

And yet, I have a use case: the client certificates generated by AWS API Gateway do not have the required properties, are self-signed and as such will never appear in .NETCore hosted apps.

I'm including an example certificate generated by AWS API Gateway so you can inspect it in detail:

-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIIZv0a28aR8qgwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTgxMjA2MjE0NTIzWhcNMTkxMjA2MjE0NTIzWjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAI0AcktNwcPvvXut1lay3UGkpKIAyZVd0Qdk7D8w
kb1uqjQmzifxeVV8Vbc3III7c2hf1++R0ZshI+whtOOkrKhTjAZ1Ap8Et9SbvV27
QgHAXGNAIaeaJLpThOmsm7Aw4ZQNE8WhSl7y2AmEh9P4Dz7H/gGZJGnavyGeAzj0
83A9OQMDWRfM8cuTuEtprZsxNZboYpsC639RL6wSZeHS+UbICQB4Jv18ItBCq2xy
sJB/LT7Wsb5uf68JZAtayvdps0DV/q4UbTE1ZS/xtk05CGJbUOwgngEpE7K2bfbV
tQ8nGpfuIpaDWM3yBVmjqvxJYw8hR+2344tmV3Ja2c9oJNcCAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEACTtH/MIOm/JwexCqmrNqpYD79GLsR035eHYC//K37kuSUWFV
cLDGTRsIjjNOIGvwXj/EH+ecWfH60O+SpV7fV65VpAf6n+pJDWbAk9TJMf5AaDPA
T13pVwq4rv8CVJ2AaNN+40HGVd4SctCxFQbLeQj6qcZjkx5P4fc2dJEx/8yKgD2v
bgRwjf9rswVpVBsPzuX+xYyvb1ZrOJROGoTJXRLsT56Ou+vq57fkZ1olcUkXVbol
uZElOp40O4zYtbACd2+kq61DkZPdOtbVINGRFKzyg3FCpgkUj79FGETe5JbDhC/t
v2rmf5P5U6qnTeO0AMkZ02fGOdf9NStEI86W9w==
-----END CERTIFICATE-----

I have no authority to dictate what .NETCore should do, but aside from asking how to allow .NETCore apps from verifying that the caller is indeed AWS API Gateway, here are a few ideas that I think could help others (even in the case of self-signing for local testing):

• Maybe we could include an option so that invalid certificates are not automatically discarded, but rather included in the request information?
• Maybe we could include an option so that client certificates are not automatically checked?
• Maybe we could include the rejected SSL certificates somewhere in the HTTP context?
• Maybe there's a workaround I didn't know about?

Let me know what do you think a good next steps should be -- anyway, thank you for your time, and thanks for the .NETCore effort! It's incredible and better every day!

[karelz]

Which APIs are causing you troubles? HttpContext is part of ASP.NET, not part of CoreFX.

[karelz]

Looks like it's better fit for ASP.NET. Closing.
Let me know if I missed anything, or if there is more details and we should reopen.

[AlphaGit]

@karelz Sorry for taking so long to respond. Nope -- you're right. It is even possible I missed some steps that I found out later on.

I'll perform further tests and if the problem still persists I'll open the ticket for ASP.NET and link here. Otherwise, it was all an issue on my side.

Thank you!