Asynchronous SNI API for SslStream

[ryanerdmann]

Rationale

With the new SNI extension support in SslStream (#24553, dotnet/corefx#28278), web servers can support TLS for multiple hostnames from a single endpoint. However, in a multi-tenant environment, the certificate for a supported hostname may not always be available synchronously. For example, there may be a number of stateless front-end servers that must fetch certificates from a persistent backend, where the total set of supported hostnames and their certificates is either too large to fit in memory or not known a priori. For this reason, the existing ServerCertificateSelectionCallback API is problematic, as it requires servers to block threads while retrieving the certificate.

The server-side SNI API in SslStream should support async realization of the server certificate used for a connection.

Ideally, this would then be supported upstream in servers like Kestrel.

Proposed API Shape

Add AsyncServerCertificateSelectionCallback to SslServerAuthenticationOptions, alongside the existing ServerCertificateSelectionCallback:

namespace System.Net.Security {

public class SslServerAuthenticationOptions
{
    public ServerCertificateSelectionCallback ServerCertificateSelectionCallback { get; set; }
    public AsyncServerCertificateSelectionCallback AsyncServerCertificateSelectionCallback { get; set; }
}

public delegate System.Security.Cryptography.X509Certificates.X509Certificate ServerCertificateSelectionCallback(object sender, string hostName);
public delegate System.Threading.Tasks.ValueTask<System.Security.Cryptography.X509Certificates.X509Certificate> AsyncServerCertificateSelectionCallback(object sender, string hostName);

}

Additional API Information:

• The async callback should be mutually exclusive with the synchronous variant. This should be enforced similarly to the mutual-exclusion with LocalCertificateSelectionCallback.
• Since the async version is mutually-exclusive with the sync variant, the return type could just be Task as it is expected to always be truly asynchronous. However, ValueTask enables pooling for performance-sensitive applications.
• The semantics of the return value should be identical to the synchronous API (e.g. returning null causes the handshake to fail).

[karelz]

Is blocking threads really a real-life scenario issue? I don't think anyone wants long-running operation as part of each request SNI.
I would expect such data to be cached and occasionally some threads would block ...

[karelz]

Closing -- It is limited scenario, smaller demand, adds significant complications into the code.

[ryanerdmann]

This appears to now be addressed by #37933.