Skip to content

Add capability for mutual tls authentication #582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bdurrer wants to merge 3 commits into
base: v3.X
Choose a base branch
from
Open

Add capability for mutual tls authentication #582

bdurrer wants to merge 3 commits into from

Conversation

@bdurrer
Copy link

@bdurrer bdurrer commented Jun 5, 2023

We need mutual TLS authentication for a project so I thought I give it a try.
Since it requires the SslStream to have some missing options, this wasn't possible to achieve with an extension.

@geoperez geoperez requested a review from Copilot October 21, 2025 15:27
Copilot AI reviewed Oct 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds mutual TLS authentication capability to EmbedIO, allowing servers to validate client certificates during the SSL/TLS handshake. This was previously impossible to implement via extensions due to missing SslStream configuration options.

Key Changes:

  • Added ClientCertificateValidationCallback property to WebServerOptions and HttpListener for configuring client certificate validation
  • Modified SSL stream initialization to request and validate client certificates when a validation callback is configured
  • Added comprehensive test coverage for mutual TLS scenarios including certificate acceptance, anonymous connections, and certificate rejection

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
test/EmbedIO.Tests/HttpsTest.cs Added three test cases covering mutual TLS scenarios: accepting known certificates, allowing anonymous connections, and rejecting unknown certificates
test/EmbedIO.Tests/EmbedIO.Tests.csproj Added content include for SSL certificate files used in tests
src/EmbedIO/WebServerOptionsExtensions.cs Added extension method WithClientCertificateValidation for fluent configuration of client certificate validation
src/EmbedIO/WebServerOptions.cs Added ClientCertificateValidationCallback property to store the validation callback
src/EmbedIO/WebServer.cs Updated HttpListener instantiation to pass the client certificate validation callback
src/EmbedIO/Net/Internal/HttpListenerRequest.cs Modified IsAuthenticated property to check for mutual authentication via SslStream
src/EmbedIO/Net/Internal/HttpConnection.cs Updated SSL stream initialization to enable client certificate requests and validation
src/EmbedIO/Net/HttpListener.cs Added constructor parameter and internal property for client certificate validation callback

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

bdurrer and others added 2 commits October 21, 2025 19:41
@bdurrer
Update src/EmbedIO/Net/Internal/HttpConnection.cs
c075793 
Remove useless console.log

Co-authored-by: Copilot <[email protected]>
@bdurrer
Apply suggestions from code review
26142ed 
Grammar

Co-authored-by: Copilot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@geoperez geoperez geoperez approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdurrer @geoperez