-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[API Proposal]: Provide async callback for Remote certification validation in HttpClient #79441
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsBackground and motivationIt is currently possible to have a custom remote certificate validation using ServerCertificateCustomValidationCallback and RemoteCertificateValidationCallback . I.e. services
.AddHttpClient("someEndpointClient")
.ConfigureHttpMessageHandlerBuilder(builder =>
{
var handler = (HttpClientHandler)builder.PrimaryHandler;
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, certificate, chain, sslPolicyErrors) =>
{
Task<bool> someValidationTask = ...;
return someValidationTask.GetAwaiter().GetResult(); // sync-over-async
};
}); Original discussion: #78761 API Proposalnamespace System.Net.Security;
public delegate ValueTask<bool> RemoteCertificateValidationAsyncCallback(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors); namespace System.Net.Security
public class SslClientAuthenticationOptions
{
...
public RemoteCertificateValidationAsyncCallback? RemoteCertificateValidationAsyncCallback { get; set; }
} namespace System.Net.Http
public partial class HttpClientHandler : HttpMessageHandler
{
...
public Func<HttpRequestMessage, X509Certificate2?, X509Chain?, SslPolicyErrors, ValueTask<bool>>? ServerCertificateCustomValidationAsyncCallback { get; set; }
} API Usageservices
.AddHttpClient("someEndpointClient")
.ConfigureHttpMessageHandlerBuilder(builder =>
{
var handler = (HttpClientHandler)builder.PrimaryHandler;
handler.ServerCertificateCustomValidationAsyncCallback = async (httpRequestMessage, certificate, chain, sslPolicyErrors) =>
{
Task<bool> someValidationTask = ...;
return await someValidationTask.ConfigireAwait(false); // sync-over-async
};
}); Alternative DesignsNo response RisksReplacing the current sync callback is a breaking change.
|
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsBackground and motivationIt is currently possible to have a custom remote certificate validation for HttpClient using
runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslClientAuthenticationOptions.cs Line 26 in a5f3676
However, it is currently impossible to have async validation without sync-over-async, since the signature of the delegate is as below: public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors);
I.e. services
.AddHttpClient("someEndpointClient")
.ConfigureHttpMessageHandlerBuilder(builder =>
{
var handler = (HttpClientHandler)builder.PrimaryHandler;
handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, certificate, chain, sslPolicyErrors) =>
{
Task<bool> someValidationTask = ...;
return someValidationTask.GetAwaiter().GetResult(); // sync-over-async
};
}); Original discussion: #78761 API Proposalnamespace System.Net.Security;
public delegate ValueTask<bool> RemoteCertificateValidationAsyncCallback(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors); namespace System.Net.Security
public class SslClientAuthenticationOptions
{
...
public RemoteCertificateValidationAsyncCallback? RemoteCertificateValidationAsyncCallback { get; set; }
} namespace System.Net.Http
public partial class HttpClientHandler : HttpMessageHandler
{
...
public Func<HttpRequestMessage, X509Certificate2?, X509Chain?, SslPolicyErrors, ValueTask<bool>>? ServerCertificateCustomValidationAsyncCallback { get; set; }
} API Usageservices
.AddHttpClient("someEndpointClient")
.ConfigureHttpMessageHandlerBuilder(builder =>
{
var handler = (HttpClientHandler)builder.PrimaryHandler;
handler.ServerCertificateCustomValidationAsyncCallback = async (httpRequestMessage, certificate, chain, sslPolicyErrors) =>
{
Task<bool> someValidationTask = ...;
return await someValidationTask.ConfigireAwait(false); // sync-over-async
};
}); Alternative DesignsNo response RisksReplacing the current sync callback is a breaking change.
|
API proposal LGTM, the only question is whether we want to have an async certificate selection callback as well, while we are at it. Thoughts? @wfurt. Not critical for 8.0, but would be nice to get it in an LTS release. Putting to Future for now. |
I think the changes in HttpClientHandler are possibly problematic. AFAIK we did not change the shape for long time for compat reasons. It would also expose it for all platform handlers and I'm not sure if that really doable.
Having two almost same functions is not great. But we can make them mutual exclusive in validation. Simple workaround IMHO would be letting handshake always to continue and do extra validation after it is done. In practice, this what we do anyway (the callback runs after handshake is completed at TLS level) at the moment I would assume failure would be rare case (e.g. mostly you connecting to valid sites) Note that with 7.0 one can influence the default validation via CertificateChainPolicy e.g. disable all online check to avoid interference. |
I don't think we would be able to implement the async callback in |
@mddddb we currently do not have plans for implementing it. It will not fit into 8.0 for sure. We can revisit it for 9.0+, however given the troubles it brings and the low demand (no upvotes on top post), I may be cut eventually. |
Background and motivation
It is currently possible to have a custom remote certificate validation for HttpClient using
runtime/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs
Line 261 in 4cbe6f9
runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslClientAuthenticationOptions.cs
Line 26 in a5f3676
However, it is currently impossible to have async validation without sync-over-async, since the signature of the delegate is as below:
public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors);
I.e.
Original discussion: #78761
API Proposal
API Usage
Alternative Designs
No response
Risks
Replacing the current sync callback is a breaking change.
But introducing a new one and having 2 callbacks for the same reason is not a good solution either
The text was updated successfully, but these errors were encountered: