I'm using a mTLS setup and wanted to get a list of acceptableIssuers from the LocalCertificateSelectionCallback at the client application. This works great on Windows, but fails on Ubuntu 20.04. Here is a sample application I used for reproduction and a snippet of the relevant location:

private static X509Certificate SelectClientCertificate(
    object sender,
    string targetHost,
    X509CertificateCollection localCertificates,
    X509Certificate remoteCertificate,
    string[] acceptableIssuers)
{
    //
    // * Is only called once when running on Linux and does *not* provide
    //   acceptable issuers.
    //
    // * Is called twice when running on Windows and does provide
    //   acceptable issuers.
    //
    return localCertificates[0];
}

Configuration

Working configuration:

• Window 10
• .NET 5.0.200

Errornous configuration:

• Ubuntu 20.04
• .NET 5.0.201

Quick Analysis

During debugging I figured out that on Windows the method InitializeSecurityContext returns SecurityStatusPalErrorCode.CredentialsNeeded (when appropriate). As a consequence, the LocalCertificateSelectionCallback is called a second time with proper content of acceptable issuers. When looking at the InitializeSecurityContext or HandshakeInternal routine on Linux, it never returns SecurityStatusPalErrorCode.CredentialsNeeded. Instead it returns SecurityStatusPalErrorCode.ContinueNeeded which does not trigger LocalCertificateSelectionCallback. Hence, there's no second invocation of LocalCertificateSelectionCallback providing the acceptable issuers.

If this is a bug (and not a configuration issue) I would like to work on it in order to provide a fix.