fix: wire mTLS client certs into VssHttpMessageHandler and RawHttpMessageHandler

dseth-linkedin · claude · dseth-linkedin · commit 72b506979de0 · 2026-05-29T09:29:25.000-07:00
The runner's primary HTTP paths (VssConnection/RawConnection) create
bare HttpClientHandler instances without loading client certificates.
RunnerWebProxy reads HTTPS_PROXY_CLIENT_CERT/KEY env vars but only
HttpClientHandlerFactory (secondary path) wires them into the handler.

Changes:
- VssHttpMessageHandler: add ConfigureClientCertificates callback,
  invoke it in ApplySettings after proxy is set
- RawHttpMessageHandler: same callback pattern
- VssUtil: set RawHttpMessageHandler.DefaultWebProxy (was missing),
  wire cert loading callback into both handlers

This enables mTLS proxy authentication for all runner communication:
job pickup, token refresh, broker connections, action downloads.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/Runner.Sdk/Util/VssUtil.cs b/src/Runner.Sdk/Util/VssUtil.cs
@@ -1,7 +1,9 @@
 ﻿using System;
 using System.Collections.Generic;
 using System.Globalization;
+using System.IO;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using GitHub.DistributedTask.WebApi;
 using GitHub.Services.Common;
 using GitHub.Services.WebApi;
@@ -34,6 +36,38 @@ public static void InitializeVssClientSettings(List<ProductInfoHeaderValue> addi
 
             VssClientHttpRequestSettings.Default.UserAgent = headerValues;
             VssHttpMessageHandler.DefaultWebProxy = proxy;
+            RawHttpMessageHandler.DefaultWebProxy = proxy;
+
+            // Wire mTLS client cert loading into both HTTP message handlers
+            var certPath = Environment.GetEnvironmentVariable("HTTPS_PROXY_CLIENT_CERT")
+                        ?? Environment.GetEnvironmentVariable("https_proxy_client_cert");
+            var keyPath = Environment.GetEnvironmentVariable("HTTPS_PROXY_CLIENT_KEY")
+                       ?? Environment.GetEnvironmentVariable("https_proxy_client_key");
+            if (!string.IsNullOrEmpty(certPath) && File.Exists(certPath))
+            {
+                Action<HttpClientHandler> configureCerts = (HttpClientHandler handler) =>
+                {
+                    try
+                    {
+                        var certPem = File.ReadAllText(certPath);
+                        var keyPem = !string.IsNullOrEmpty(keyPath) && File.Exists(keyPath) ? File.ReadAllText(keyPath) : null;
+                        X509Certificate2 cert;
+                        if (keyPem != null)
+                        {
+                            cert = X509Certificate2.CreateFromPem(certPem, keyPem);
+                            cert = new X509Certificate2(cert.Export(X509ContentType.Pfx));
+                        }
+                        else
+                        {
+                            cert = new X509Certificate2(certPath);
+                        }
+                        handler.ClientCertificates.Add(cert);
+                    }
+                    catch { }
+                };
+                VssHttpMessageHandler.ConfigureClientCertificates = configureCerts;
+                RawHttpMessageHandler.ConfigureClientCertificates = configureCerts;
+            }
 
             if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))
             {
diff --git a/src/Sdk/Common/Common/RawHttpMessageHandler.cs b/src/Sdk/Common/Common/RawHttpMessageHandler.cs
@@ -77,6 +77,8 @@ public RawClientHttpRequestSettings Settings
         // This needs to be investigated further.
         private static IWebProxy s_defaultWebProxy = null;
 
+        public static Action<HttpClientHandler> ConfigureClientCertificates { get; set; }
+
         /// <summary>
         /// Allows you to set a proxy to be used by all RawHttpMessageHandler requests without affecting the global WebRequest.DefaultWebProxy.  If not set it returns the WebRequest.DefaultWebProxy.
         /// </summary>
@@ -300,6 +302,8 @@ private static void ApplySettings(
                 httpClientHandler.Proxy = DefaultWebProxy;
                 httpClientHandler.UseCookies = false;
                 httpClientHandler.UseProxy = true;
+
+                ConfigureClientCertificates?.Invoke(httpClientHandler);
             }
         }
 
diff --git a/src/Sdk/Common/Common/VssHttpMessageHandler.cs b/src/Sdk/Common/Common/VssHttpMessageHandler.cs
@@ -503,9 +503,13 @@ private static void ApplySettings(
                 {
                     httpClientHandler.AutomaticDecompression = DecompressionMethods.GZip;
                 }
+
+                ConfigureClientCertificates?.Invoke(httpClientHandler);
             }
         }
 
+        public static Action<HttpClientHandler> ConfigureClientCertificates { get; set; }
+
         // setting this to WebRequest.DefaultWebProxy in NETSTANDARD is causing a System.PlatformNotSupportedException
         //.in System.Net.SystemWebProxy.IsBypassed.  Comment in IsBypassed method indicates ".NET Core and .NET Native
         // code will handle this exception and call into WinInet/WinHttp as appropriate to use the system proxy."

Original file line number	Diff line number	Diff line change
`@@ -503,9 +503,13 @@ private static void ApplySettings(`
`503`	`503`	`{`
`504`	`504`	`httpClientHandler.AutomaticDecompression = DecompressionMethods.GZip;`
`505`	`505`	`}`
	`506`	`+`
	`507`	`+ ConfigureClientCertificates?.Invoke(httpClientHandler);`
`506`	`508`	`}`
`507`	`509`	`}`
`508`	`510`
	`511`	`+ public static Action<HttpClientHandler> ConfigureClientCertificates { get; set; }`
	`512`	`+`
`509`	`513`	`// setting this to WebRequest.DefaultWebProxy in NETSTANDARD is causing a System.PlatformNotSupportedException`
`510`	`514`	`//.in System.Net.SystemWebProxy.IsBypassed. Comment in IsBypassed method indicates ".NET Core and .NET Native`
`511`	`515`	`// code will handle this exception and call into WinInet/WinHttp as appropriate to use the system proxy."`