Throws a specific exception when a certificate is needed but not provided by rolfbjarne · Pull Request #24544 · dotnet/macios

rolfbjarne · 2026-01-22T12:03:02Z

This allows the user to detect the specific exception when a certificate is needed and react to it. Exceptions thrown are very similar to what SocketsHttpHandler and other handlers throw, while also following the pattern of other exceptions thrown by NSUrlSessionHandler.

This is a re-creation of #24532 from @dotMorten (due to our CI not being able to build PRs from forks).

Copilot

Pull request overview

This PR adds specific exception handling for scenarios where a server requests a client certificate but none is provided by the application. The implementation throws a structured exception chain (HttpRequestException → WebException → AuthenticationException) to help developers detect and handle missing certificate scenarios programmatically.

Changes:

Modified NSUrlSessionHandler to throw a specific exception when a client certificate is requested but not available
Added an AppContext switch to allow disabling the new behavior for backward compatibility
Added two test methods to validate optional and required certificate scenarios

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
src/Foundation/NSUrlSessionHandler.cs	Adds exception handling logic when client certificate is missing, with AppContext switch for backward compatibility
tests/monotouch-test/System.Net.Http/MessageHandlers.cs	Adds two test methods: one for optional certificates (should succeed) and one for required certificates (should throw specific exception)

src/Foundation/NSUrlSessionHandler.cs

tests/monotouch-test/System.Net.Http/MessageHandlers.cs

src/Foundation/NSUrlSessionHandler.cs

vs-mobiletools-engineering-service2 · 2026-02-12T14:42:56Z

💻 [CI Build #df9f7f9] Tests on macOS arm64 - Mac Sequoia (15) passed 💻

✅ All tests on macOS arm64 - Mac Sequoia (15) passed.

Pipeline on Agent
Hash: df9f7f93197d59ced9f3ff1e790dfa90bc858910 [PR build]

vs-mobiletools-engineering-service2 · 2026-02-12T14:42:58Z

💻 [CI Build #df9f7f9] Tests on macOS M1 - Mac Monterey (12) passed 💻

✅ All tests on macOS M1 - Mac Monterey (12) passed.

Pipeline on Agent
Hash: df9f7f93197d59ced9f3ff1e790dfa90bc858910 [PR build]

vs-mobiletools-engineering-service2 · 2026-02-12T14:43:39Z

💻 [CI Build #df9f7f9] Tests on macOS X64 - Mac Sonoma (14) passed 💻

✅ All tests on macOS X64 - Mac Sonoma (14) passed.

Pipeline on Agent
Hash: df9f7f93197d59ced9f3ff1e790dfa90bc858910 [PR build]

vs-mobiletools-engineering-service2 · 2026-02-12T14:44:13Z

💻 [CI Build #df9f7f9] Tests on macOS M1 - Mac Ventura (13) passed 💻

✅ All tests on macOS M1 - Mac Ventura (13) passed.

Pipeline on Agent
Hash: df9f7f93197d59ced9f3ff1e790dfa90bc858910 [PR build]

vs-mobiletools-engineering-service2 · 2026-02-12T14:45:36Z

💻 [CI Build #df9f7f9] Tests on macOS arm64 - Mac Tahoe (26) passed 💻

✅ All tests on macOS arm64 - Mac Tahoe (26) passed.

Pipeline on Agent
Hash: df9f7f93197d59ced9f3ff1e790dfa90bc858910 [PR build]

…ided

Verifies that when the Foundation.NSUrlSessionHandler.NoMissingCertificateHandling switch is enabled, the specific SecureChannelFailure exception is not thrown. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Copilot · 2026-03-27T14:57:23Z

src/Foundation/NSUrlSessionHandler.cs

+								WebExceptionStatus.SecureChannelFailure, null));
+						}
+						// We will still continue with a null credential, since some services uses optional client certificates and this will still let it succeed
+						completionHandler (NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, null!);


This branch uses PerformDefaultHandling but passes a null credential. Elsewhere in this method, PerformDefaultHandling uses challenge.ProposedCredential; using that here too avoids accidentally dropping a non-null ProposedCredential and matches the existing pattern.

Suggested change

completionHandler (NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, null!);

completionHandler (NSUrlSessionAuthChallengeDisposition.PerformDefaultHandling, challenge.ProposedCredential);

Copilot · 2026-03-27T14:57:24Z

tests/monotouch-test/System.Net.Http/MessageHandlers.cs

+			listener.SetStateChangedHandler ((state, error) => {
+				if (state == NWListenerState.Ready)
+					readyEvent.Set ();
+				if (state == NWListenerState.Failed)
+					readyEvent.Set ();
+			});


CreateNWTlsListener unblocks the wait on both Ready and Failed, but it doesn’t check which state occurred. If the listener fails to start, this method will still return a listener and subsequent requests can fail in confusing ways/time out. Track the final state/error and throw when the state is Failed (and consider disposing the ManualResetEventSlim).

- Use challenge.ProposedCredential instead of null for PerformDefaultHandling. - Fix grammar: 'services uses' -> 'services use'. - Track listener error state and throw on Failed instead of silently returning a broken listener. - Dispose ManualResetEventSlim. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

vs-mobiletools-engineering-service2 · 2026-03-27T17:12:49Z

✅ [CI Build #cf677dc] Build passed (Build packages) ✅

Pipeline on Agent
Hash: cf677dce29b4dc6188723072cba6204f75363233 [PR build]

vs-mobiletools-engineering-service2 · 2026-03-27T17:43:44Z

✅ [CI Build #cf677dc] Build passed (Build macOS tests) ✅

Pipeline on Agent
Hash: cf677dce29b4dc6188723072cba6204f75363233 [PR build]

vs-mobiletools-engineering-service2 · 2026-03-28T06:55:32Z

🔥 [CI Build #cf677dc] Test results 🔥

Test results

❌ Tests failed on VSTS: test results

1 tests crashed, 6 tests failed, 138 tests passed.

Failures

❌ monotouch tests (macOS)

🔥 Failed catastrophically on VSTS: test results - monotouch_macos (no summary found).

Html Report (VSDrops) Download

❌ monotouch tests (tvOS)

1 tests failed, 10 tests passed.