2

My client application calls an Azure App Service with HttpClient Something like this:

HttpClientHandler handler = new HttpClientHandler();

if (I detect a certificate is needed)
{
  httpClientHandler.ClientCertificates.Add(cert);
  httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
}

var client = new HttpClient(handler);
var result = await client.GetAsync("http://www.contoso.com/");

I only want to add the client certificate if I can detect the page needs it. For instance, if you paste a URL into a browser that needs client certificates, the browser offers a selection of certificates the user can choose. I have a certificate list in my app too, but only want to show it if the server needs it.

I can call the server and get back a 403, then provide my list. However, it could be a 403 for other authentication reasons, so that would be misleading.

I guess I'm asking - "How to browsers detect a URL requires a client certificate"

Thanks

user2081514
  • 95
  • 1
  • 7
  • I don't think browsers detect this, do they? You would just get an error response if you're not properly authenticated. I might be wrong tho. Do you control those sites? then send a custom response. If not, you probably have a list of sites that use a client cert. The code should be `403.7 Forbidden: Client certificate required` – Charles Dec 17 '21 at 21:24
  • Thanks Charles. I've put up the server page in azure so you can see an example https://integrationhosttest.azurewebsites.net It gets a response status of 403. It doesn't get the 7. try the page in a browser and you'll be prompted for a cert. – user2081514 Dec 17 '21 at 22:17
  • 1
    The way browsers support it is they try without, get a error, show the ui, then try again I think. You can confirm with a tool like wireshark. – Scott Chamberlain Dec 17 '21 at 23:19
  • Do you know how the error page is generated? Because the error message is clear it is a 403.7 as said by @ScottChamberlain. But the response header display only 403. Seems some HttpResponse have a [SubStatusCode](https://learn.microsoft.com/en-us/dotnet/api/system.web.httpresponse.substatuscode?view=netframework-4.8&viewFallbackFrom=net-6.0). If you have control on the response generated by the app, you could add a header with the complete status code, and read it on the client. – Hazrelle Dec 18 '21 at 00:31
  • Thank you all. Yes, I'm trying to do it the way Scott suggested, however, as Hazrelle said, I only get a 403 (not a 403.7). I can't see that the server provides a SubStatusCode. It is Azure that returns it, but I really want to make this generic. Without the 403.7 I can't specifically determine if it's a client certificate error. I note that the HTML says it's a certificate error in plain English. I could use that, but then wouldn't it fail on non-English servers? – user2081514 Dec 19 '21 at 19:57

0 Answers0