AndroidMessageHandler seems to be ignoring ClientCertificates

[nk-alex]

Description

I have an old .net framework 4.5 project using HttpClient with HttpClientHandler in order to load client certificate for query. This is the code I'm using. Works as expected:

var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate2(certificate, password));

using (var httpClient = new HttpClient(handler))
{
    var httpRequest = new HttpRequestMessage(HttpMethod.Post, uri)
    {
        Content = new StringContent(body, Encoding.UTF8, "text/xml")
    };
    httpRequest.Headers.Add("SOAPAction", action);
    var httpResponse = await httpClient.SendAsync(httpRequest);
}

Now I'm trying to recreate that code on my .net 8 MAUI project. I started with the Android specific code:

#if ANDROID
                var handler = new AndroidMessageHandler();
                handler.ClientCertificateOptions = ClientCertificateOption.Manual;
                handler.SslProtocols = SslProtocols.Tls12;
                handler.ClientCertificates = new X509CertificateCollection { new X509Certificate2(certificate,  password) };
#else

#endif

                using (var httpClient = new HttpClient(handler))
                {
                    var httpRequest = new HttpRequestMessage(HttpMethod.Post, uri)
                    {
                        Content = new StringContent(body, Encoding.UTF8, "text/xml")
                    };
                    httpRequest.Headers.Add("SOAPAction", action);
                    var httpResponse = await httpClient.SendAsync(httpRequest);
                }

But the web service I'm sending my request keeps on returning me 403 - No certificate detected.

• The web service mentioned above is from a third-party. I don't have control over it.
• I'm using the same message and certificate on both my .net framework application and MAUI application. Since in .net framework this is working, my best guess is I'm either not using AndroidMessageHandler as intended, or this issue is still around.

Steps to Reproduce

Link to public reproduction project repository

No response

Version with bug

8.0.100 SR10

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

Android

Affected platform versions

Android 14

Did you find any workaround?

Relevant log output

[similar-issues-ai]

We've found some similar issues:

• HttpClientHandler ClientCertificate property is null on Android maui#8860 , similarity score: 82%

If any of the above are duplicates, please consider closing this issue out and adding additional context in the original issue.

Note: You can give me feedback by 👍 or 👎 this comment.

[jpobst]

It looks like the fixed issue you reference was fixed in July 2024, so it would likely only be in .NET 9 and not .NET 8.

#8961

Can you try on .NET 9 and see if it works there?

[nk-alex]

Hi @jpobst, thanks for the answer.

I updated my project from .NET8 to .NET9 and now the certificate seems to be working as expected.

Since in .NET9 new X509Certificate2(certificate, password) is now obsolete: "Loading certificate data through the constructor or Import is obsolete. Use X509CertificateLoader instead to load certificates."

To load the certificate I had to use X509CertificateLoader.LoadPkcs12FromFile(certificate, password)

Just to know, are there any plans on implementing this solution also for .NET8?

[jpobst]

Just to know, are there any plans on implementing this solution also for .NET8?

I will defer to @simonrozsival and @jonpryor about the risk involved with backporting this to .NET 8.

[filipnavara]

The implementation on .the .NET runtime side needed to add a Java library to handle the callbacks. This was rather big change that would be non-trivial to backport (especially due to the fact that it required changes across more repositories to account for the extra library).

[jpobst]

I think this is our official-ish policy on .NET 8 now, so a backport isn't likely:

.NET 8 is "done" in that is will probably only get security fixes from now on. .NET 8 Android may/may not have another release.