Skip to content

Added option to specify ClientCertificateContext in .NET 8+#1866

Merged
lukebakken merged 1 commit intorabbitmq:mainfrom
tyb-dev:feat/ssl-clientcert-chain
Nov 5, 2025
Merged

Added option to specify ClientCertificateContext in .NET 8+#1866
lukebakken merged 1 commit intorabbitmq:mainfrom
tyb-dev:feat/ssl-clientcert-chain

Conversation

@tyb-dev
Copy link
Copy Markdown
Contributor

@tyb-dev tyb-dev commented Sep 5, 2025

Proposed Changes

This allows clients to send the full intermediate chain during the TLS handshake instead of relying on OS stores or AIA fetches, addressing issue #1864. It improves interoperability when servers don’t have intermediates installed or when environments lack internet access.
Keep behavior unchanged for netstandard2.0; the new API is only compiled for net8.0.
Split Public API “Unshipped” files per TFM and wire them via AdditionalFiles to satisfy the PublicApiAnalyzer for both net8.0 and netstandard2.0.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask on the
mailing list. We're here to help! This is simply a reminder of what we are
going to look for before merging your code.

  • I have read the CONTRIBUTING.md document
  • I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
  • All tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in related repositories

Further Comments

N/A

@tyb-dev
Copy link
Copy Markdown
Contributor Author

tyb-dev commented Sep 5, 2025

I haven't signed the CA yet. If there's interest in this change, I'm happy to sign it so this PR can proceed.

@michaelklishin
Copy link
Copy Markdown
Contributor

michaelklishin commented Sep 5, 2025

@tyb-dev I definitely think there is interest in supporting this option (conditionally, on .NET 8+). Thank you!

Please email us as described in the contributor CLA repo and we will send you a Box Sign signature request.

@lukebakken lukebakken self-requested a review September 5, 2025 16:43
@lukebakken lukebakken self-assigned this Sep 5, 2025
@lukebakken lukebakken added this to the 7.2.0 milestone Sep 5, 2025
@lukebakken lukebakken mentioned this pull request Oct 31, 2025
Closed
@lukebakken lukebakken removed this from the 7.2.0 milestone Nov 3, 2025
@lukebakken lukebakken closed this Nov 4, 2025
@lukebakken lukebakken reopened this Nov 4, 2025
lukebakken
lukebakken requested changes Nov 4, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@lukebakken lukebakken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A test is required. If you'd like to get the skeleton of a test in place in the projects\Test\Integration\TestSsl.cs file I can ensure the correct certs are in place for CI runs.

@lukebakken lukebakken added this to the 7.2.0 milestone Nov 4, 2025
@lukebakken lukebakken force-pushed the feat/ssl-clientcert-chain branch 3 times, most recently from c3995bd to 9849f55 Compare November 5, 2025 20:28
@tyb-dev @lukebakken
Add option to specify ClientCertificateContext in .NET
c91c7f5 
Fixes rabbitmq#1864

.NET supports the ability to supply intermediate certificates as well as
the client certificate during mTLS setup. Without support for
`ClientCertificateContext`, users must ensure that intermediate certs
are available in the system cert store for the .NET runtime to find.

These changes use certificates generated via `rabbitmq/tls-gen` using
this command:

```
make CN=localhost -C one_intermediate
```

All SSL tests now provide a client certificate, because the RabbitMQ
configuration has changed to require them via via...

```
ssl_options.fail_if_no_peer_cert = true
```
@lukebakken lukebakken force-pushed the feat/ssl-clientcert-chain branch from 9849f55 to c91c7f5 Compare November 5, 2025 21:10
@lukebakken lukebakken merged commit afae979 into rabbitmq:main Nov 5, 2025
5 checks passed
This was referenced Nov 7, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
This was referenced Nov 28, 2025
Open
Closed
Merged
Closed
Closed
This was referenced Dec 7, 2025
Merged
Merged
Closed
Merged
Closed
This was referenced Dec 26, 2025
Merged
Open
This was referenced Jan 9, 2026
Merged
Merged
Merged
@dependabot dependabot Bot mentioned this pull request Jan 26, 2026
Merged
@dependabot dependabot Bot mentioned this pull request Feb 4, 2026
Merged
This was referenced Feb 26, 2026
Closed
Closed
Open
@dependabot dependabot Bot mentioned this pull request Mar 9, 2026
Closed
This was referenced Mar 23, 2026
Closed
Merged
This was referenced Apr 7, 2026
Closed
Open
Closed
This was referenced Apr 17, 2026
Closed
Open
@dependabot dependabot Bot mentioned this pull request Apr 24, 2026
Closed
@dependabot dependabot Bot mentioned this pull request May 1, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukebakken lukebakken lukebakken approved these changes

Assignees

@lukebakken lukebakken

Labels

None yet

Projects

None yet

Milestone

7.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tyb-dev @michaelklishin @lukebakken