Using an mTLS setup and getting a list of acceptableIssuers from the LocalCertificateSelectionCallback at the client application works great on Windows, but fails on Linux. This is a sample application that reproduces that issue for the following system configuration.

• Ubuntu 20.04
• .NET 5.0.201
• OpenSSL 1.1.1f 31 Mar 2020

During debugging I figured out that on Windows the method InitializeSecurityContext returns SecurityStatusPalErrorCode.CredentialsNeeded (when appropriate). As a consequence, the LocalCertificateSelectionCallback is called a second time with proper content of acceptable issuers. When looking at the InitializeSecurityContext or HandshakeInternal routine on Linux, it never returns SecurityStatusPalErrorCode.CredentialsNeeded. Instead it returns SecurityStatusPalErrorCode.ContinueNeeded which does not trigger LocalCertificateSelectionCallback. Hence, there's no second invocation of LocalCertificateSelectionCallback.

This issue is discussed here:

• Unable to get acceptableIssuers from LocalCertificateSelectionCallback on Linux