HttpClientHandler always set LocalCertificateSelectionCallback delegate in SslOptions

[wfurt]

Besides extra work this prevents TLS resume on Linux so HttpClient won't be able to benefit from #64369

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 298 to 310 in 855c475

	if (sslAuthenticationOptions.IsClient)
	{
	// We don't support client resume on old OpenSSL versions.
	// We don't want to try on empty TargetName since that is our key.
	// And we don't want to mess up with client authentication. It may be possible
	// but it seems safe to get full new session.
	if (!Interop.Ssl.Capabilities.Tls13Supported ||
	string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
	sslAuthenticationOptions.CertificateContext != null ||
	sslAuthenticationOptions.CertSelectionDelegate != null)
	{
	cacheSslContext = false;
	}

Since the delegate could return different certificate, we would somehow need to track what was actually selected and resume accordingly (if possible)

It seems like the best option wold be not set the delegate unless there is actual need e.g. client certificate is in use.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Besides extra work this prevents TLS resume on Linux so HttpClient won't be able to benefit from #64369

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines 298 to 310 in 855c475

	if (sslAuthenticationOptions.IsClient)
	{
	// We don't support client resume on old OpenSSL versions.
	// We don't want to try on empty TargetName since that is our key.
	// And we don't want to mess up with client authentication. It may be possible
	// but it seems safe to get full new session.
	if (!Interop.Ssl.Capabilities.Tls13Supported ||
	string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ||
	sslAuthenticationOptions.CertificateContext != null ||
	sslAuthenticationOptions.CertSelectionDelegate != null)
	{
	cacheSslContext = false;
	}

Since the delegate could return different certificate, we would somehow need to track what was actually selected and resume accordingly (if possible)

It seems like the best option wold be not set the delegate unless there is actual need e.g. client certificate is in use.

Author:	wfurt
Assignees:	-
Labels:	area-System.Net.Http, tenet-performance
Milestone:	-

[karelz]

Triage: Would be nice to make sure TLS resume works also with HTTP, not just with SSL.