Don't close connection on MacOS when getting client certificate (#46365)

Author: JamesNK

src/Servers/Kestrel/Core/src/Internal/TlsConnectionFeature.cs

@@ -129,6 +129,12 @@ public int KeyExchangeStrength
             await _sslStream.NegotiateClientCertificateAsync(cancellationToken);
 #pragma warning restore CA1416 // Validate platform compatibility
         }
+        catch (PlatformNotSupportedException)
+        {
+            // NegotiateClientCertificateAsync might not be supported on all platforms.
+            // Don't attempt to recover by creating a new connection. Instead, just throw error directly to the app.
+            throw;
+        }
         catch
         {
             // We can't tell which exceptions are fatal or recoverable. Consider them all recoverable only given a new connection

src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs

@@ -570,6 +570,49 @@ void ConfigureListenOptions(ListenOptions listenOptions)
         await AssertConnectionResult(stream, true);
     }
 
+    [ConditionalFact]
+    [TlsAlpnSupported]
+    [OSSkipCondition(OperatingSystems.Windows | OperatingSystems.Linux, SkipReason = "MacOS only test.")]
+    public async Task CanRenegotiateForClientCertificate_MacOS_PlatformNotSupportedException()
+    {
+        void ConfigureListenOptions(ListenOptions listenOptions)
+        {
+            listenOptions.Protocols = HttpProtocols.Http1;
+            listenOptions.UseHttps(options =>
+            {
+                options.ServerCertificate = _x509Certificate2;
+                options.ClientCertificateMode = ClientCertificateMode.DelayCertificate;
+                options.AllowAnyClientCertificate();
+            });
+        }
+
+        await using var server = new TestServer(async context =>
+        {
+            var tlsFeature = context.Features.Get<ITlsConnectionFeature>();
+            Assert.NotNull(tlsFeature);
+            Assert.Null(tlsFeature.ClientCertificate);
+            Assert.Null(context.Connection.ClientCertificate);
+
+            await Assert.ThrowsAsync<PlatformNotSupportedException>(() => context.Connection.GetClientCertificateAsync());
+
+            var lifetimeNotificationFeature = context.Features.Get<IConnectionLifetimeNotificationFeature>();
+            Assert.False(
+                lifetimeNotificationFeature.ConnectionClosedRequested.IsCancellationRequested,
+                "GetClientCertificateAsync shouldn't cause the connection to be closed.");
+
+            await context.Response.WriteAsync("hello world");
+        }, new TestServiceContext(LoggerFactory), ConfigureListenOptions);
+
+        using var connection = server.CreateConnection();
+        // SslStream is used to ensure the certificate is actually passed to the server
+        // HttpClient might not send the certificate because it is invalid or it doesn't match any
+        // of the certificate authorities sent by the server in the SSL handshake.
+        // Use a random host name to avoid the TLS session resumption cache.
+        var stream = OpenSslStreamWithCert(connection.Stream);
+        await stream.AuthenticateAsClientAsync(Guid.NewGuid().ToString());
+        await AssertConnectionResult(stream, true);
+    }
+
     [Fact]
     public async Task Renegotiate_ServerOptionsSelectionCallback_NotSupported()
     {