[release/9.0-staging] [WinHTTP] Certificate caching on WinHttpHandler to eliminate extra call to Custom Certificate Validation

[liveans]

Backport of #111791 to release/9.0-staging

Customer Impact

Reported by customer (Identity team) - it was blocking their migration to WinHttpHandler and gRPC on .NET Framework (as first step of migration to .NET).
They reported slow performance due to creation of certificate chain in CertificateValidationCallback on each request.
This change caches certificate chain per connection as an opt-in feature (the default path is not affected).
They observed perf improvements on privates from %17.2 CPU to %0.61.

Regression

No - it was behaving this way since WinHttpHandler OOB package was introduced during .NET Core 1.0 shipping in 2016.

Testing

CI + Manual testing
Customer validated private bits against 9.0 servicing branch.

Risk

Low: This is under a feature switch (opt-in), it will not affect customers unless they enable the switch and opt-in into the feature.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[Copilot]

Copilot reviewed 5 out of 7 changed files in this pull request and generated 1 comment.

Files not reviewed (2)

• src/libraries/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj: Language not supported
• src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/System.Net.Http.WinHttpHandler.Unit.Tests.csproj: Language not supported

[liveans]

Approved via email by @SteveMCarroll on 5/7

[liveans]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[liveans]

/ba-g test failure is unrelated: #115359