Add capability for mutual tls authentication#582
Merged
geoperez merged 3 commits intounosquare:v3.Xfrom Dec 16, 2025
Merged
Conversation
geoperez
approved these changes
Jul 17, 2024
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds mutual TLS authentication capability to EmbedIO, allowing servers to validate client certificates during the SSL/TLS handshake. This was previously impossible to implement via extensions due to missing SslStream configuration options.
Key Changes:
- Added
ClientCertificateValidationCallbackproperty toWebServerOptionsandHttpListenerfor configuring client certificate validation - Modified SSL stream initialization to request and validate client certificates when a validation callback is configured
- Added comprehensive test coverage for mutual TLS scenarios including certificate acceptance, anonymous connections, and certificate rejection
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test/EmbedIO.Tests/HttpsTest.cs | Added three test cases covering mutual TLS scenarios: accepting known certificates, allowing anonymous connections, and rejecting unknown certificates |
| test/EmbedIO.Tests/EmbedIO.Tests.csproj | Added content include for SSL certificate files used in tests |
| src/EmbedIO/WebServerOptionsExtensions.cs | Added extension method WithClientCertificateValidation for fluent configuration of client certificate validation |
| src/EmbedIO/WebServerOptions.cs | Added ClientCertificateValidationCallback property to store the validation callback |
| src/EmbedIO/WebServer.cs | Updated HttpListener instantiation to pass the client certificate validation callback |
| src/EmbedIO/Net/Internal/HttpListenerRequest.cs | Modified IsAuthenticated property to check for mutual authentication via SslStream |
| src/EmbedIO/Net/Internal/HttpConnection.cs | Updated SSL stream initialization to enable client certificate requests and validation |
| src/EmbedIO/Net/HttpListener.cs | Added constructor parameter and internal property for client certificate validation callback |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Remove useless console.log Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Grammar Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We need mutual TLS authentication for a project so I thought I give it a try.
Since it requires the SslStream to have some missing options, this wasn't possible to achieve with an extension.