dotnet · wfurt · Jul 17, 2022 · Jul 17, 2022 · Jul 17, 2022 · Jul 17, 2022
diff --git a/src/libraries/Common/src/System/Net/Security/CertificateHelper.cs b/src/libraries/Common/src/System/Net/Security/CertificateHelper.cs
@@ -13,9 +13,9 @@ internal static partial class CertificateHelper
     {
         private const string ClientAuthenticationOID = "1.3.6.1.5.5.7.3.2";
 
-        internal static X509Certificate2? GetEligibleClientCertificate(X509CertificateCollection candidateCerts)
+        internal static X509Certificate2? GetEligibleClientCertificate(X509CertificateCollection? candidateCerts)
         {
-            if (candidateCerts.Count == 0)
+            if (candidateCerts == null || candidateCerts.Count == 0)
             {
                 return null;
             }
@@ -26,9 +26,9 @@ internal static partial class CertificateHelper
             return GetEligibleClientCertificate(certs);
         }
 
-        internal static X509Certificate2? GetEligibleClientCertificate(X509Certificate2Collection candidateCerts)
+        internal static X509Certificate2? GetEligibleClientCertificate(X509Certificate2Collection? candidateCerts)
         {
-            if (candidateCerts.Count == 0)
+            if (candidateCerts == null || candidateCerts.Count == 0)
             {
                 return null;
             }

diff --git a/src/libraries/Common/src/System/Net/Security/SslClientAuthenticationOptionsExtensions.cs b/src/libraries/Common/src/System/Net/Security/SslClientAuthenticationOptionsExtensions.cs
@@ -19,6 +19,7 @@ public static SslClientAuthenticationOptions ShallowClone(this SslClientAuthenti
                 AllowRenegotiation = options.AllowRenegotiation,
                 ApplicationProtocols = options.ApplicationProtocols != null ? new List<SslApplicationProtocol>(options.ApplicationProtocols) : null,
                 CertificateRevocationCheckMode = options.CertificateRevocationCheckMode,
+                CertificateChainPolicy = options.CertificateChainPolicy,
                 CipherSuitesPolicy = options.CipherSuitesPolicy,
                 ClientCertificates = options.ClientCertificates,
                 EnabledSslProtocols = options.EnabledSslProtocols,

diff --git a/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs b/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs
@@ -222,7 +222,7 @@ public ClientCertificateOption ClientCertificateOptions
 #else
                         ThrowForModifiedManagedSslOptionsIfStarted();
                         _clientCertificateOptions = value;
-                        _underlyingHandler.SslOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) => CertificateHelper.GetEligibleClientCertificate(ClientCertificates)!;
+                        _underlyingHandler.SslOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) => CertificateHelper.GetEligibleClientCertificate(_underlyingHandler.SslOptions.ClientCertificates)!;
 #endif
                         break;