feat(remote): add support for custom certificate validation callbacks #686
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… from Akka.NET v1.5.55 - Updated Akka.NET from v1.5.53 to v1.5.55 to access new SSL/TLS features - Added CustomValidator property to SslOptions to support CertificateValidationCallback - Updated RemoteOptions.Build to use appropriate DotNettySslSetup constructor based on settings: - 5-parameter constructor when CustomValidator is provided (v1.5.55+) - 4-parameter constructor when RequireMutualAuthentication or ValidateCertificateHostname is set - 2-parameter constructor for legacy scenarios (backward compatibility) - Added comprehensive test coverage for CustomValidator configuration - Updated API approval tests to reflect new public API surface This enhancement allows users to implement custom certificate validation logic such as: - Certificate pinning - Subject/issuer matching - Business-specific validation rules - Advanced mTLS scenarios The implementation maintains full backward compatibility while providing access to the powerful new CertificateValidation features introduced in Akka.NET v1.5.55.
Fixed bug where both HOCON SSL configuration and DotNettySslSetup were being emitted simultaneously. DotNettySslSetup ALWAYS takes precedence when present, making HOCON SSL settings ineffective and potentially confusing. Changes: - Modified RemoteOptions.Build to only emit HOCON SSL config when X509Certificate is null - Added comprehensive comments explaining SSL configuration strategy with link to Akka.NET issue #7914 - Updated tests to use CertificateOptions instead of X509Certificate when testing HOCON SSL configuration - Both WithRemotingNewSslSettingsHoconTest and WithRemotingConfiguratorNewSslSettingsTest now properly test HOCON config This ensures users understand that: 1. X509Certificate object → DotNettySslSetup (programmatic, takes precedence) 2. X509Certificate null + SSL settings → HOCON configuration only Related to: akkadotnet/akka.net#7914
Added detailed SSL/TLS configuration documentation to Akka.Remote.Hosting README including: - Basic SSL configuration with certificate file (HOCON-based) - SSL configuration with X509Certificate2 object (programmatic) - Advanced custom certificate validation example (certificate pinning) - Examples using all CertificateValidation helper methods from Akka.NET v1.5.55: * ValidateChain() - Standard chain validation * ValidateHostname() - Hostname validation * PinnedCertificate() - Certificate pinning * ValidateSubject() - Subject pattern matching * ValidateIssuer() - Issuer validation * Combine() - Combining multiple validators - Complete SSL configuration options reference - Important note about DotNettySslSetup vs HOCON precedence This helps users understand how to use the new CustomValidator feature for enhanced security scenarios.
Aaronontheweb
added a commit
that referenced
this pull request
Oct 26, 2025
Added documentation for PR #686 which integrates custom certificate validation callbacks from Akka.NET v1.5.55.
Aaronontheweb
added a commit
that referenced
this pull request
Oct 26, 2025
* Prepare for 1.5.55 stable release - Updated RELEASE_NOTES.md with stable release entry - Updated version metadata from 1.5.55-beta1 to 1.5.55 * Add SSL custom certificate validation to 1.5.55 release notes Added documentation for PR #686 which integrates custom certificate validation callbacks from Akka.NET v1.5.55.
This was referenced Oct 27, 2025
This was referenced Oct 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR integrates the new
CertificateValidationCallbackfeature from Akka.NET v1.5.55 into Akka.Remote.Hosting, allowing users to provide custom certificate validation logic for SSL/TLS connections.Changes
CustomValidatorproperty toSslOptions- Allows users to provide aCertificateValidationCallbackdelegateRemoteOptions.Buildmethod - Now intelligently selects the appropriateDotNettySslSetupconstructor:CustomValidatoris provided (v1.5.55+)RequireMutualAuthenticationorValidateCertificateHostnameis setKey Features
This enhancement enables advanced SSL/TLS scenarios including:
Example Usage
Backward Compatibility
✅ 100% backward compatible - All existing code continues to work unchanged. The new
CustomValidatorproperty is optional and the implementation maintains the existing constructor selection logic when it's not provided.Testing
Notes
DotNettySslSetupconfiguration now correctly takes precedence over HOCON defaults, ensuring our settings are effectiveDotNettySslSetupfor SSL configuration when a certificate object is provided, which guarantees the settings are appliedResolves the need to support custom certificate validation scenarios as introduced in Akka.NET v1.5.55.