Add some comments for mutual ssl authentication

justcoding121 · justcoding121 · commit 41c7ae9d076b · 2021-06-14T00:28:11.000-06:00
diff --git a/src/Titanium.Web.Proxy/CertificateHandler.cs b/src/Titanium.Web.Proxy/CertificateHandler.cs
@@ -56,6 +56,14 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess
         {
             X509Certificate? clientCertificate = null;
 
+            //TODO: Can we use client certificate from client socket's Sslstream.RemoteCertificate?
+            //Because only the client can provide the correct certificate.
+            //Proxy has no idea about client certificate when its running on a remote machine.
+            //That would mean we need to delay AuthenticateAsServer call with client until we reach this method
+            //and decide right here if we should set SslServerAuthenticationOptions.ClientCertificateRequired = true for clientStream.AuthenticateAsServer call.
+            //Sounds like a very complicated change, but technically possible.
+
+            //fallback to the first client certificate from proxy machine certificate store
             if (acceptableIssuers != null && acceptableIssuers.Length > 0 && localCertificates != null &&
                 localCertificates.Count > 0)
             {
@@ -69,7 +77,9 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess
                 }
             }
 
-            if (localCertificates != null && localCertificates.Count > 0)
+            //fallback to the first client certificate from proxy machine certificate store
+            if (clientCertificate == null
+                && localCertificates != null && localCertificates.Count > 0)
             {
                 clientCertificate = localCertificates[0];
             }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,14 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess`
`56`	`56`	`{`
`57`	`57`	`X509Certificate? clientCertificate = null;`
`58`	`58`
	`59`	`+ //TODO: Can we use client certificate from client socket's Sslstream.RemoteCertificate?`
	`60`	`+ //Because only the client can provide the correct certificate.`
	`61`	`+ //Proxy has no idea about client certificate when its running on a remote machine.`
	`62`	`+ //That would mean we need to delay AuthenticateAsServer call with client until we reach this method`
	`63`	`+ //and decide right here if we should set SslServerAuthenticationOptions.ClientCertificateRequired = true for clientStream.AuthenticateAsServer call.`
	`64`	`+ //Sounds like a very complicated change, but technically possible.`
	`65`	`+`
	`66`	`+ //fallback to the first client certificate from proxy machine certificate store`
`59`	`67`	`if (acceptableIssuers != null && acceptableIssuers.Length > 0 && localCertificates != null &&`
`60`	`68`	`localCertificates.Count > 0)`
`61`	`69`	`{`
`@@ -69,7 +77,9 @@ internal bool ValidateServerCertificate(object sender, SessionEventArgsBase sess`
`69`	`77`	`}`
`70`	`78`	`}`
`71`	`79`
`72`		`- if (localCertificates != null && localCertificates.Count > 0)`
	`80`	`+ //fallback to the first client certificate from proxy machine certificate store`
	`81`	`+ if (clientCertificate == null`
	`82`	`+ && localCertificates != null && localCertificates.Count > 0)`
`73`	`83`	`{`
`74`	`84`	`clientCertificate = localCertificates[0];`
`75`	`85`	`}`