SslStream: Don't include "NT AUTHORITY" in Distinguished Names list of CertificateRequest. #60949
Description
During client certificate authentication, it is necessary to configure trusted certificate authorities (CA) list in certain scenarios. This trusted CA list is configured in the Distinguished Names of the Certificate Request message of the TLS handshake.
In NET 6.0, the ability to configure Distinguished Names list was added to SslStream via #45456. The trusted CA list is set using any machine store on the server as shown here.
However, for servers using SslStream, in addition to the CA list from the configured store, there is an additional "NT AUTHORITY" string in the Distinguished Names during the TLS handshake. This is unexpected and breaks clients, especially in scenarios where the intention is to send an empty Distinguished Names list in the TLS handshake.
Below trace shows the expected behavior when the intention is to send an empty CA list in the Distinguished Names. (This trace was collected on http.sys (not SslStream)
The below snippet shows frame 55 from the attached wireshark capture. There are zero entries in the Distinguished Names because the CA list was configured with an empty store.
Below snippet shows the EmptyCTL store on the server that was used to configure the CA list.
On SslStream, below trace shows the unexpected behavior when the Distinguished Names is configured with an empty list. As shown below, the Distinguished Names list is not empty, it contains the string "NT AUTHORITY"
This breaks the scenario and client does not send any certificate in the Certificate message of the TLS handshake as shown below.
The expectation is to be able to configure the CA lists from the contents of the stores only and not have any additional strings (such as "NT AUTHORITY") in the Distinguished Names during TLS handshake.
Wireshark logs: serverhello.zip