NuGet cannot restore from HTTPS sources that require Client Certificates

[superstrom]

Idea

We should add a way for users to nominate a Client Certificate for HTTPS connections that require them.

Probably should be handled simliar to #4387

"Inspirations"

npm has this: https://docs.npmjs.com/misc/config#cert

cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"

maven has this: https://maven.apache.org/guides/mini/guide-repository-ssl.html:

-Djavax.net.ssl.keyStore=/home/directory/mycertificate.p12
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStorePassword=XXXXXX"

Current Behavior

nuget list -source https://secured-server/repository/dev-nuget-feed -Verbosity Detailed
System.AggregateException: One or more errors occurred. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel
at System.Net.HttpWebRequest.GetResponse()
at NuGet.RequestHelper.GetResponse()
at NuGet.HttpClient.GetResponse()
at NuGet.RedirectedHttpClient.GetResponseUri(HttpClient client)
at NuGet.RedirectedHttpClient.EnsureClient()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at System.Lazy`1.get_Value()
at NuGet.MemoryCache.GetOrAdd[T](Object cacheKey, Func`1 factory, TimeSpan expiration, Boolean absoluteExpiration)
at NuGet.RedirectedHttpClient.get_CachedClient()
at NuGet.RedirectedHttpClient.get_Uri()
at NuGet.DataServicePackageRepository.get_Source()
at NuGet.Protocol.Core.v2.ListCommandResourceV2Provider.<TryCreate>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__11`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__10`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<GetListEndpointsAsync>d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<ExecuteCommandAsync>d__22.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at NuGet.CommandLine.Command.Execute()
at NuGet.CommandLine.Program.MainCore(String workingDirectory, String[] args)

[superstrom]

Another person asked about this issue: https://stackoverflow.com/questions/42096554/get-nuget-to-pass-a-client-certificate-to-a-private-proget-server-using-ssl

[keithrob]

@rrelyea or nuget team,
Please reach out to me or someone on the VSTS Packaging team so that we can update the credential providers to support mutual SSL auth when you start working on this.

[emmellee]

This support for mutual SSL authentication is sorely needed by the DoD community.

[jbo1984]

This support for mutual SSL authentication is needed by the DoD community.

[aschoenborn]

My team could really use this feature

[sean-gilliam]

This feature would go a long way in helping our team resolve an issue we're having with using nuget in several of our projects.

[emmellee]

Besides offering a mechanism for an application such as TFS/VSTS to "pass" client certificates to nuget for use during ssl client authentication, could you also ensure the nuget client can utilize an ssl client certificate from a smartcard device? VS 2015 appears to do this well.

[m-spinks]

I work for the government, and we really do need this feature available. We are currently having to use several workarounds. These workarounds are slow, time-consuming, and error prone.

[rcs0424]

Yes, having this feature would be extremely helpful, I work for the Government as well and not having that option is cumbersome to say the least.

[SlayeroftheBrightRealm]

I concur: "This support for mutual SSL authentication is SORELY needed by the DoD community."

[BeLikeMikeB]

This would be a great thing to have, our project would benefit from this as well.

[emmellee]

@rrelyea , regarding this issue's designation as a feature rather than a bug type: Today, isn't mutual ssl authentication considered more of a basic functionality rather than a nice-to-have?

With security being paramount, my organization requires mutual ssl authentication without exception. Without nuget's support of ssl client authentication, we are unable to use Visual Studio Team Foundation Server's Package Management to host our nuget packages.

As a result, this issue is blocking our development of a much-needed modular redesign using nuget packages.

[rrelyea]

@emmellee - thanks for the interest.

@keithrob / @nkolev92 - pinged you via email. could our current 15.8 (VS 2017) and 5.8 (nuget.exe) based work help solve this? Timing good? Cost?

[nkolev92]

Just looping back here.
This ask is orthogonal of our plugins feature.

[emmellee]

Issue 7212 was closed as duplicate of this ticket. Still wondering when nuget will support ssl client authentication? Thank you.

[emmellee]

@nkolev92 , could you explain what "This ask is orthogonal of our plugins feature" means?

[nkolev92]

@emmellee

The plugins feature was independent of this one.

They are both in the same feature space (authentication), but the plugins were solving a different problem.

[emmellee]

@nkolev92
Thank you. Is there any idea when we might see nuget support of client certificates?

[nkolev92]

There're no immediate plans(5.2) as far as I am aware (5.2 which aligns to 16.2 of Visual Studio).
I can't make any claims beyond that.

[Auranis]

This would be a great feature for my team as well. We are required to use client certificate auth for our systems, which currently precludes us from using NuGet package hosting.

[BlackGad]

Did not expect that such feature still not exist. Today faced with same issue. Hope NuGet team will implement so desirable functionality soon.

[emmellee]

@nkolev92 @keithrob @rrelyea
I had almost given up hope this issue would be worked, but recent comments show others are as hopeful as I that it soon will be. Can you give us some confirmation that this issue will be worked and solved soon? Even after all this time, down alternative paths, our projects would still greatly benefit by using nuget in our ssl environment.

[BlackGad]

Hope that pull request somehow speedup feature implementation.

[sean-gilliam]

Awesome work @BlackGad! Hopefully they'll take a look at this and merge it in quickly =)

[emmellee]

Thank you @BlackGad. It would be wonderful to be able to use the certificate store.

[zivkan]

Huge thanks to @BlackGad for implementing this. It was a big effort as we went though a design spec process first, which needed the original implementation to change considerably. But this has now been merged! 🎉

It will be available in:

• NuGet 5.7
• Visual Studio 2019 16.7 (probably preview 2)
• .NET Core 3.1 SDK 3.1.4xx
• .NET 5 SDK (I think preview 5)

[superstrom]

Thanks @BlackGad! I can't wait to test this out.

[BlackGad]

For peoples who wants to secure theirs NuGet server with client certificates will leave here our configuration.

We are using regular BaGet NuGet server which listening not secured HTTP inside our private network (Read-through caching disabled)
and Apache reverse-proxy with configured Client Certificate Authentification feature for internet. Reverse-proxy routes HTTPS requests to our NuGet server HTTP endpoint.
For proper NuGet feed index response you need to specify additional headers for all forwarded HTTP requests from Apache to BaGet. See for details.

Apache configuration example:

ProxyPass http://<BaGet server IP>/
ProxyPassReverse http://<BaGet server IP>/
ProxyPassReverseCookieDomain https://<BaGet server IP>/
ProxyPreserveHost On
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

Above configuration allows:

1. HTTP access for our build agents (TeamCity) and developers inside our private network without overhead. NuGet config for PCs in this area extended with direct HTTP endpoint.
2. Secured HTTPS access with client certificates for developers outside our private network. NuGet config for PCs in this area extended with HTTPS endpoint to our apache server.