Using an mTLS setup and getting a list of acceptableIssuers
from the
LocalCertificateSelectionCallback
at the client application works great on
Windows, but fails on Linux. This is a sample application that reproduces that
issue for the following system configuration.
- Ubuntu 20.04
- .NET 5.0.201
- OpenSSL 1.1.1f 31 Mar 2020
During debugging I figured out that on Windows the method
InitializeSecurityContext
returns
SecurityStatusPalErrorCode.CredentialsNeeded
(when appropriate). As a consequence,
the LocalCertificateSelectionCallback
is called a second time with proper content
of acceptable issuers. When looking at the
InitializeSecurityContext
or HandshakeInternal
routine on Linux, it never returns
SecurityStatusPalErrorCode.CredentialsNeeded
. Instead it returns
SecurityStatusPalErrorCode.ContinueNeeded
which does not trigger
LocalCertificateSelectionCallback
. Hence, there's no second invocation of
LocalCertificateSelectionCallback
.
This issue is discussed here: