Allow access to connection info in certificate validation callback

[rzikm]

Fixes #114351.

[rzikm]

/azp run runtime-libraries-coreclr outerloop

[Copilot]

Pull Request Overview

This PR enhances certificate validation by allowing a custom certificate callback in client authentication, and refines the handshake validation logic in SslStream by checking the connection protocol.

• Updated RemoteCertificateValidationCallback in the client test to use a provided callback when available.
• Modified the handshake error-checking condition in SslStream to validate using _connectionInfo.Protocol.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs	Updated test to support a custom certificate callback fallback.
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.cs	Revised handshake validation logic to check _connectionInfo.Protocol instead of IsAuthenticated.

Comments suppressed due to low confidence (2)

src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs:148

• Ensure test coverage includes scenarios where a non-null certificateCallback is provided, verifying that the custom callback is executed as expected.

RemoteCertificateValidationCallback = certificateCallback ?? AllowAnyServerCertificate,

src/libraries/System.Net.Security/src/System/Net/Security/SslStream.cs:931

• Verify that checking _connectionInfo.Protocol for a zero value accurately represents an unauthenticated state across all valid protocol scenarios to prevent any unintended behavior.

if (_connectionInfo.Protocol == 0)

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[wfurt]

LGTM

[rzikm]

/ba-g Test failures are unrelated, Build Analysis job stuck

[BrzVlad]

@rzikm It would seem that this change regressed System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncAuthenticate_ConnectionInfoInCallback_DoesNotThrow on android. Here is an example of a failure https://helixr1107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-heads-main-6bddc39bb6424c5d91/System.Net.Security.Tests/3/console.cbf524ee.log?helixlogtype=result.

Failed tests:
 05-08 18:42:34.963  2577  8178 I DOTNET  : 1) 	[FAIL] System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncAuthenticate_ConnectionInfoInCallback_DoesNotThrow   Test name: System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncAuthenticate_ConnectionInfoInCallback_DoesNotThrow
 05-08 18:42:34.963  2577  8178 I DOTNET  :    Assembly:  [System.Net.Security.Tests, Version=10.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51]
 05-08 18:42:34.963  2577  8178 I DOTNET  :    Exception messages: System.Security.Authentication.AuthenticationException : Authentication failed, see inner exception.
 05-08 18:42:34.963  2577  8178 I DOTNET  : ---- System.InvalidOperationException : This operation is only allowed using a successfully authenticated context.   Exception stack traces:    at System.Net.Security.SslStream.<ForceAuthenticationAsync>d__157`1[[System.Net.Security.AsyncReadWriteAdapter, System.Net.Security, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].MoveNext()
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncSslHelper(EncryptionPolicy encryptionPolicy, SslProtocols clientSslProtocols, SslProtocols serverSslProtocols, RemoteCertificateValidationCallback certificateCallback) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs:line 159
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncSslHelper(EncryptionPolicy encryptionPolicy, SslProtocols clientSslProtocols, SslProtocols serverSslProtocols, RemoteCertificateValidationCallback certificateCallback) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs:line 180
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.Tests.ClientAsyncAuthenticateTest.ClientAsyncAuthenticate_ConnectionInfoInCallback_DoesNotThrow() in /_/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs:line 33
 05-08 18:42:34.963  2577  8178 I DOTNET  : --- End of stack trace from previous location ---
 05-08 18:42:34.963  2577  8178 I DOTNET  : ----- Inner Stack Trace -----
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.SslStream.ThrowNotAuthenticated()
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.SslStream.get_SslProtocol()
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.Tests.ClientAsyncAuthenticateTest.AllowAnyServerCertificateAndVerifyConnectionInfo(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /_/src/libraries/System.Net.Security/tests/FunctionalTests/ClientAsyncAuthenticateTest.cs:line 203
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.SslStream.VerifyRemoteCertificate()
 05-08 18:42:34.963  2577  8178 I DOTNET  :    at System.Net.Security.SslStream.JavaProxy.VerifyRemoteCertificate(IntPtr sslStreamProxyHandle)

Any idea on fixing this ? cc @simonrozsival

[wfurt]

for now, we can perhaps disable that test on Android. I also talk with @simonrozsival few weeks back and it may be good to run android test in networking and security changes. Any thoughts on that @dotnet/ncl ?