devops-mahadi opened a new issue, #278: URL: https://github.com/apache/pulsar-dotpulsar/issues/278
### Is your feature request related to a problem? Please describe ## Summary Add support for custom certificate validation callbacks to `IPulsarClientBuilder`, similar to how `HttpClient` and `SslStream` support `RemoteCertificateValidationCallback`. ## Motivation Currently, DotPulsar only provides binary options for certificate validation: - `.VerifyCertificateAuthority(bool)` - All or nothing CA verification - `.TrustedCertificateAuthority(X509Certificate2)` - Add specific CA cert - `.CheckCertificateRevocation(bool)` - Enable/disable revocation checking This doesn't allow developers to handle edge cases where certificate validation fails on certain platforms (especially macOS) even when the certificate is valid. ### Specific Use Case When connecting to Pulsar servers with Let's Encrypt certificates on macOS, .NET's `SslStream` can fail with `RemoteCertificateChainErrors` even when: - The server sends a complete certificate chain (verified with `openssl s_client`) - ISRG Root X1 CA is installed and trusted in the system keychain - The same code works fine on Windows and Linux This is a known .NET runtime issue on macOS (see [dotnet/runtime#113971](https://github.com/dotnet/runtime/issues/113971), [dotnet/runtime#25872](https://github.com/dotnet/runtime/issues/25872)), but currently there's no way to work around it in DotPulsar without disabling all CA verification. ## Related Issues - dotnet/runtime#113971 - Invalid certificate verification on Mac - dotnet/runtime#25872 - SslStream certificate revocation issues on macOS ## Environment - **DotPulsar Version**: 4.3.1 - **Platform**: macOS (issue also affects certain Linux configurations) - **.NET Version**: .NET 8.0 ### Describe the solution you'd like and alternatives you've considered ## Proposed API ```csharp public interface IPulsarClientBuilder { // Existing methods... /// <summary> /// Set a custom certificate validation callback /// </summary> IPulsarClientBuilder RemoteCertificateValidationCallback( RemoteCertificateValidationCallback callback); } ``` ### Usage Example ```csharp var client = PulsarClient.Builder() .ServiceUrl(new Uri("pulsar+ssl://example.com:6651")) .RemoteCertificateValidationCallback((sender, cert, chain, errors) => { // Custom validation logic if (errors == SslPolicyErrors.None) return true; // Handle specific macOS certificate chain issues if (errors == SslPolicyErrors.RemoteCertificateChainErrors) { // Validate certificate hostname, expiration, and issuer var x509Cert = cert as X509Certificate2; if (x509Cert != null) { // Custom validation logic here return IsValidCertificate(x509Cert, chain); } } return false; }) .Build(); ``` ## Implementation Notes The internal `Connector.EncryptStream` method already uses a validation callback internally: ```csharp bool Validate(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors) { policyErrors = sslPolicyErrors; return ValidateServerCertificate(certificate, chain, sslPolicyErrors); } sslStream = new SslStream(stream, false, Validate, null); ``` The implementation would: 1. Add an optional `RemoteCertificateValidationCallback` field to the builder 2. If provided, use the custom callback instead of (or in addition to) the default `ValidateServerCertificate` logic 3. Maintain backward compatibility - if not set, use current validation behavior ## Alternatives Considered 1. **Status Quo**: Force developers to use `.VerifyCertificateAuthority(false)`, which is insecure 2. **Platform-specific workarounds**: Not portable or maintainable 3. **Fork DotPulsar**: Increases maintenance burden for users -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
