DangerousAcceptAnyServerCertificateValidator for RemoteCertificateValidationCallback

[JamesNK]

Today with HttpClientHandler.ServerCertificateCustomValidationCallback you can do this to accept self-signed certificates:

var httpHandler = new HttpClientHandler();
// Return `true` to allow certificates that are untrusted/invalid
httpHandler.ServerCertificateCustomValidationCallback = 
    HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;

This is good, but the predefined delegate is limited to HttpClientHandler. There are options specific to SocketsHttpHandler so devs sometimes must use it instead. When they use SocketsHttpHandler there isn't an equivalent for quickly accepting self-signed certificates. They must specify a delegate that returns true:

var httpHandler = new SocketsHttpHandler();
httpHandler.SslOptions.RemoteCertificateValidationCallback =
    (object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors) => true;

It would be nice if there was a helper delegate for SocketsHttpHandler like DangerousAcceptAnyServerCertificateValidator:

var httpHandler = new SocketsHttpHandler();
httpHandler.SslOptions.RemoteCertificateValidationCallback =
    SocketsHttpHandler.DangerousAcceptAnyServerCertificateValidator;

The property could either go on SocketsHttpHandler, or SslClientAuthenticationOptions (which is where RemoteCertificateValidationCallback is defined)

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[geoffkizer]

I'd vote for it to go on SslClientAuthenticationOptions, since it's not specific to SocketsHttpHandler.

[stephentoub]

We added the delegate not because it made things simpler but because at the time our Unix implementations needed to be able to know whether an "allow everything" callback was being used, so we needed an instance that could be used for its reference identity. That's no longer the case, so it's purely a usability thing. Personally, I don't think it's worthwhile, when I can just write:

httpHandler.SslOptions.RemoteCertificateValidationCallback =
    delegate { return true; };

(That said, if we decided to add it anyway, I agree with @geoffkizer it should be on SslClientAuthenticationOptions, as that's where the delegate is used, this isn't specific to the handler and could be used by other components, and it needn't clutter up the handler's surface area.)

[stephentoub]

Given #42482 (comment) and there hasn't been any further discussion here in the year and a half since, I'm going to close this. Thanks for the suggestion.