Azure · ealsur · Jan 24, 2023 · Jan 6, 2023 · Jan 9, 2023 · Jan 9, 2023
@@ -8,6 +8,8 @@ namespace Microsoft.Azure.Cosmos
     using System.Collections.ObjectModel;
     using System.Collections.Specialized;
     using System.Net.Http;
+    using System.Net.Security;
+    using System.Security.Cryptography.X509Certificates;
     using Microsoft.Azure.Cosmos.Telemetry;
     using Microsoft.Azure.Documents;
     using Microsoft.Azure.Documents.Client;
@@ -46,8 +48,8 @@ public ConnectionPolicy()
             this.MaxConnectionLimit = defaultMaxConcurrentConnectionLimit;
             this.RetryOptions = new RetryOptions();
             this.EnableReadRequestsFallback = null;
-
             this.EnableClientTelemetry = ClientTelemetryOptions.IsClientTelemetryEnabled();
+            this.ServerCertificateCustomValidationCallback = null;
         }
 
         /// <summary>
@@ -294,6 +296,11 @@ public bool EnablePartitionLevelFailover
             get;
             set;
         }
+        public Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, Boolean> ServerCertificateCustomValidationCallback
+        {
+            get;
+            set;
+        }
 
         /// <summary>
         /// Gets or sets the flag to enable writes on any locations (regions) for geo-replicated database accounts in the Azure Cosmos DB service.

@@ -12,6 +12,8 @@ namespace Microsoft.Azure.Cosmos
     using System.Net;
     using System.Net.Http;
     using System.Net.Http.Headers;
+    using System.Net.Security;
+    using System.Security.Cryptography.X509Certificates;
     using Microsoft.Azure.Cosmos.Fluent;
     using Microsoft.Azure.Documents;
     using Microsoft.Azure.Documents.Client;
@@ -633,6 +635,21 @@ internal Protocol ConnectionProtocol
         /// </summary>
         internal Func<TransportClient, TransportClient> TransportClientHandlerFactory { get; set; }
 
+        /// <summary>
+        /// Certificate validation function
+        /// </summary>
+        public Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> ServerCertificateCustomValidationCallback { get; set; }
+        internal RemoteCertificateValidationCallback SslCustomValidationCallBack
+        {
+            get
+            {
+                if (this.ServerCertificateCustomValidationCallback == null)
+                {
+                    return null;
+                }
+                return (obj, cert, chain, policy) => this.ServerCertificateCustomValidationCallback((HttpRequestMessage)obj, (X509Certificate2)cert, chain, policy);
+            }
+        }
         /// <summary>
         /// API type for the account
         /// </summary>
@@ -746,7 +763,8 @@ internal virtual ConnectionPolicy GetConnectionPolicy(int clientId)
                 EnablePartitionLevelFailover = this.EnablePartitionLevelFailover,
                 PortReuseMode = this.portReuseMode,
                 EnableTcpConnectionEndpointRediscovery = this.EnableTcpConnectionEndpointRediscovery,
-                HttpClientFactory = this.httpClientFactory
+                HttpClientFactory = this.httpClientFactory,
+                ServerCertificateCustomValidationCallback = this.ServerCertificateCustomValidationCallback
             };
 
             if (this.EnableClientTelemetry.HasValue)

@@ -12,6 +12,7 @@ namespace Microsoft.Azure.Cosmos
     using System.Linq;
     using System.Net;
     using System.Net.Http;
+    using System.Net.Security;
     using System.Security;
     using System.Text;
     using System.Threading;
@@ -163,6 +164,9 @@ internal partial class DocumentClient : IDisposable, IAuthorizationTokenProvider
         //Trace Id.
         private int traceId;
 
+        //RemoteCertificateValidationCallback
+        internal RemoteCertificateValidationCallback remoteCertificateValidationCallback;
+
         //SessionContainer.
         internal ISessionContainer sessionContainer;
 
@@ -421,6 +425,7 @@ internal DocumentClient(Uri serviceEndpoint,
         /// <param name="storeClientFactory">Factory that creates store clients sharing the same transport client to optimize network resource reuse across multiple document clients in the same process.</param>
         /// <param name="isLocalQuorumConsistency">Flag to allow Quorum Read with Eventual Consistency Account</param>
         /// <param name="cosmosClientId"></param>
+        /// <param name="remoteCertificateValidationCallback"></param>
         /// <remarks>
         /// The service endpoint can be obtained from the Azure Management Portal.
         /// If you are connecting using one of the Master Keys, these can be obtained along with the endpoint from the Azure Management Portal
@@ -446,7 +451,8 @@ internal DocumentClient(Uri serviceEndpoint,
                               Func<TransportClient, TransportClient> transportClientHandlerFactory = null,
                               IStoreClientFactory storeClientFactory = null,
                               bool isLocalQuorumConsistency = false,
-                              string cosmosClientId = null)
+                              string cosmosClientId = null,
+                              RemoteCertificateValidationCallback remoteCertificateValidationCallback = null)
         {
             if (sendingRequestEventArgs != null)
             {
@@ -478,7 +484,8 @@ internal DocumentClient(Uri serviceEndpoint,
                 sessionContainer: sessionContainer,
                 enableCpuMonitor: enableCpuMonitor,
                 storeClientFactory: storeClientFactory,
-                cosmosClientId: cosmosClientId);
+                cosmosClientId: cosmosClientId,
+                remoteCertificateValidationCallback: remoteCertificateValidationCallback);
         }
 
         /// <summary>
@@ -660,14 +667,16 @@ internal virtual void Initialize(Uri serviceEndpoint,
             bool? enableCpuMonitor = null,
             IStoreClientFactory storeClientFactory = null,
             TokenCredential tokenCredential = null,
-            string cosmosClientId = null)
+            string cosmosClientId = null,
+            RemoteCertificateValidationCallback remoteCertificateValidationCallback = null)
         {
             if (serviceEndpoint == null)
             {
                 throw new ArgumentNullException("serviceEndpoint");
             }
 
             this.clientId = cosmosClientId;
+            this.remoteCertificateValidationCallback = remoteCertificateValidationCallback;
 
             this.queryPartitionProvider = new AsyncLazy<QueryPartitionProvider>(async () =>
             {
@@ -6648,7 +6657,8 @@ private void InitializeDirectConnectivity(IStoreClientFactory storeClientFactory
                     retryWithConfiguration: this.ConnectionPolicy.RetryOptions?.GetRetryWithConfiguration(),
                     enableTcpConnectionEndpointRediscovery: this.ConnectionPolicy.EnableTcpConnectionEndpointRediscovery,
                     addressResolver: this.AddressResolver,
-                    rntbdMaxConcurrentOpeningConnectionCount: this.rntbdMaxConcurrentOpeningConnectionCount);
+                    rntbdMaxConcurrentOpeningConnectionCount: this.rntbdMaxConcurrentOpeningConnectionCount,
+                    remoteCertificateValidationCallback: this.remoteCertificateValidationCallback );
 
                 if (this.transportClientHandlerFactory != null)
                 {

@@ -10,6 +10,8 @@ namespace Microsoft.Azure.Cosmos
     using System.Net;
     using System.Net.Http;
     using System.Net.Http.Headers;
+    using System.Net.Security;
+    using System.Security.Cryptography.X509Certificates;
     using System.Threading;
     using System.Threading.Tasks;
     using Microsoft.Azure.Cosmos.Resource.CosmosExceptions;
@@ -73,7 +75,8 @@ public static CosmosHttpClient CreateWithConnectionPolicy(
             {
                 httpMessageHandler = CosmosHttpClientCore.CreateHttpClientHandler(
                         gatewayModeMaxConnectionLimit: connectionPolicy.MaxConnectionLimit,
-                        webProxy: null);
+                        webProxy: null,
+                        serverCertificateCustomValidationCallback: connectionPolicy.ServerCertificateCustomValidationCallback);
             }
 
             if (sendingRequestEventArgs != null ||
@@ -96,7 +99,7 @@ public static CosmosHttpClient CreateWithConnectionPolicy(
                 eventSource: eventSource);
         }
 
-        public static HttpMessageHandler CreateHttpClientHandler(int gatewayModeMaxConnectionLimit, IWebProxy webProxy)
+        public static HttpMessageHandler CreateHttpClientHandler(int gatewayModeMaxConnectionLimit, IWebProxy webProxy, Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> serverCertificateCustomValidationCallback)
         {
             HttpClientHandler httpClientHandler = new HttpClientHandler();
 
@@ -110,6 +113,7 @@ public static HttpMessageHandler CreateHttpClientHandler(int gatewayModeMaxConne
             try
             {
                 httpClientHandler.MaxConnectionsPerServer = gatewayModeMaxConnectionLimit;
+                httpClientHandler.ServerCertificateCustomValidationCallback = serverCertificateCustomValidationCallback;
             }
             // MaxConnectionsPerServer is not supported on some platforms.
             catch (PlatformNotSupportedException)

@@ -65,7 +65,8 @@ internal static CosmosClientContext Create(
             clientOptions = ClientContextCore.CreateOrCloneClientOptions(clientOptions);
             HttpMessageHandler httpMessageHandler = CosmosHttpClientCore.CreateHttpClientHandler(
                 clientOptions.GatewayModeMaxConnectionLimit,
-                clientOptions.WebProxy);
+                clientOptions.WebProxy,
+                clientOptions.ServerCertificateCustomValidationCallback);
 
             DocumentClient documentClient = new DocumentClient(
                cosmosClient.Endpoint,
@@ -79,7 +80,8 @@ internal static CosmosClientContext Create(
                desiredConsistencyLevel: clientOptions.GetDocumentsConsistencyLevel(),
                handler: httpMessageHandler,
                sessionContainer: clientOptions.SessionContainer,
-               cosmosClientId: cosmosClient.Id);
+               cosmosClientId: cosmosClient.Id,
+               remoteCertificateValidationCallback: clientOptions.SslCustomValidationCallBack);
 
             return ClientContextCore.Create(
                 cosmosClient,

@@ -165,11 +165,6 @@
           "Attributes": [],
           "MethodInfo": "Microsoft.Azure.Cosmos.ChangeFeedMode AllVersionsAndDeletes;CanRead:True;CanWrite:False;Microsoft.Azure.Cosmos.ChangeFeedMode get_AllVersionsAndDeletes();IsAbstract:False;IsStatic:True;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
         },
-        "Microsoft.Azure.Cosmos.ChangeFeedMode LatestVersion": {
-          "Type": "Property",
-          "Attributes": [],
-          "MethodInfo": "Microsoft.Azure.Cosmos.ChangeFeedMode LatestVersion;CanRead:True;CanWrite:False;Microsoft.Azure.Cosmos.ChangeFeedMode get_LatestVersion();IsAbstract:False;IsStatic:True;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
-        },
         "Microsoft.Azure.Cosmos.ChangeFeedMode get_AllVersionsAndDeletes()": {
           "Type": "Method",
           "Attributes": [],
@@ -179,6 +174,11 @@
           "Type": "Method",
           "Attributes": [],
           "MethodInfo": "Microsoft.Azure.Cosmos.ChangeFeedMode get_LatestVersion();IsAbstract:False;IsStatic:True;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
+        },
+        "Microsoft.Azure.Cosmos.ChangeFeedMode LatestVersion": {
+          "Type": "Property",
+          "Attributes": [],
+          "MethodInfo": "Microsoft.Azure.Cosmos.ChangeFeedMode LatestVersion;CanRead:True;CanWrite:False;Microsoft.Azure.Cosmos.ChangeFeedMode get_LatestVersion();IsAbstract:False;IsStatic:True;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
         }
       },
       "NestedTypes": {}

@@ -2764,6 +2764,18 @@
           ],
           "MethodInfo": "System.Func`1[System.Net.Http.HttpClient] HttpClientFactory;CanRead:True;CanWrite:True;System.Func`1[System.Net.Http.HttpClient] get_HttpClientFactory();IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;Void set_HttpClientFactory(System.Func`1[System.Net.Http.HttpClient]);IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
         },
+        "System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean] get_ServerCertificateCustomValidationCallback()[System.Runtime.CompilerServices.CompilerGeneratedAttribute()]": {
+          "Type": "Method",
+          "Attributes": [
+            "CompilerGeneratedAttribute"
+          ],
+          "MethodInfo": "System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean] get_ServerCertificateCustomValidationCallback();IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
+        },
+        "System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean] ServerCertificateCustomValidationCallback": {
+          "Type": "Property",
+          "Attributes": [],
+          "MethodInfo": "System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean] ServerCertificateCustomValidationCallback;CanRead:True;CanWrite:True;System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean] get_ServerCertificateCustomValidationCallback();IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;Void set_ServerCertificateCustomValidationCallback(System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean]);IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
+        },
         "System.Net.IWebProxy get_WebProxy()": {
           "Type": "Method",
           "Attributes": [],
@@ -3050,6 +3062,13 @@
           "Attributes": [],
           "MethodInfo": "Void set_SerializerOptions(Microsoft.Azure.Cosmos.CosmosSerializationOptions);IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
         },
+        "Void set_ServerCertificateCustomValidationCallback(System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean])[System.Runtime.CompilerServices.CompilerGeneratedAttribute()]": {
+          "Type": "Method",
+          "Attributes": [
+            "CompilerGeneratedAttribute"
+          ],
+          "MethodInfo": "Void set_ServerCertificateCustomValidationCallback(System.Func`5[System.Net.Http.HttpRequestMessage,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.X509Certificates.X509Chain,System.Net.Security.SslPolicyErrors,System.Boolean]);IsAbstract:False;IsStatic:False;IsVirtual:False;IsGenericMethod:False;IsConstructor:False;IsFinal:False;"
+        },
         "Void set_TokenCredentialBackgroundRefreshInterval(System.Nullable`1[System.TimeSpan])[System.Runtime.CompilerServices.CompilerGeneratedAttribute()]": {
           "Type": "Method",
           "Attributes": [