Add RemoteCertificateValidationCallback.

Signed-off-by: Bradley Grainger <bgrainger@gmail.com>

Author: bgrainger

docs/content/api/MySqlConnector/MySqlConnection/RemoteCertificateValidationCallback.md

@@ -130,7 +130,10 @@ These are the options that need to be used in order to configure a connection to
   <tr id="SslCa">
     <td>SSL CA, CA Certificate File, CACertificateFile, SslCa, Ssl-Ca</td>
     <td></td>
-    <td>The path to a CA certificate file in a PEM Encoded (.pem) format. This should be used with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the operating system’s certificate store.</td>
+    <td>
+      <p>The path to a CA certificate file in a PEM Encoded (.pem) format. This should be used with <code>SslMode=VerifyCA</code> or <code>SslMode=VerifyFull</code> to enable verification of a CA certificate that is not trusted by the operating system’s certificate store.</p>
+      <p>To provide a custom callback to validate the remote certificate, leave this option empty and set <code>SslMode</code> to <code>Required</code> (or <code>Preferred</code>), then set <a href="/api/mysqlconnector/mysqlconnection/remotecertificatevalidationcallback/"><code>MySqlConnection.RemoteCertificateValidationCallback</code></a> before calling <a href="/api/mysqlconnector/mysqlconnection/open/"><code>MySqlConnection.Open</code></a>. The property should be set to a delegate that will validate the remote certificate, as per <a href="https://docs.microsoft.com/en-us/dotnet/api/system.net.security.remotecertificatevalidationcallback" title="RemoteCertificateValidationCallback Delegate (MSDN)">the documentation</a>.</p>
+    </td>
   </tr>
   <tr id="CertificateStoreLocation">
     <td>Certificate Store Location, CertificateStoreLocation</td>

docs/content/api/MySqlConnector/MySqlConnectionType.md

@@ -1369,8 +1369,28 @@ caCertificateChain is not null &&
 			return rcbPolicyErrors == SslPolicyErrors.None;
 		}
 
-		var sslStream = clientCertificates is null ? new SslStream(m_stream!, false, ValidateRemoteCertificate) :
-			new SslStream(m_stream!, false, ValidateRemoteCertificate, ValidateLocalCertificate);
+		// use the client's callback (if any) for Preferred or Required mode
+		RemoteCertificateValidationCallback validateRemoteCertificate = ValidateRemoteCertificate;
+		if (connection.RemoteCertificateValidationCallback is not null)
+		{
+			if (caCertificateChain is not null)
+			{
+				Log.Warn("Session{0} not using client-provided RemoteCertificateValidationCallback because SslCA is specified", m_logArguments);
+			}
+			else if (cs.SslMode is not MySqlSslMode.Preferred and not MySqlSslMode.Required)
+			{
+				m_logArguments[1] = cs.SslMode;
+				Log.Warn("Session{0} not using client-provided RemoteCertificateValidationCallback because SslMode is {1}", m_logArguments);
+			}
+			else
+			{
+				Log.Debug("Session{0} using client-provided RemoteCertificateValidationCallback", m_logArguments);
+				validateRemoteCertificate = connection.RemoteCertificateValidationCallback;
+			}
+		}
+
+		var sslStream = clientCertificates is null ? new SslStream(m_stream!, false, validateRemoteCertificate) :
+			new SslStream(m_stream!, false, validateRemoteCertificate, ValidateLocalCertificate);
 
 		var checkCertificateRevocation = cs.SslMode == MySqlSslMode.VerifyFull;
 

docs/content/connection-options.md

@@ -1,6 +1,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
+using System.Net.Security;
 using System.Net.Sockets;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
@@ -522,6 +523,14 @@ public override string ConnectionString
 	/// </remarks>
 	public Func<MySqlProvidePasswordContext, string>? ProvidePasswordCallback { get; set;}
 
+	/// <summary>
+	/// Gets or sets the delegate used to verify that the server's certificate is valid.
+	/// </summary>
+	/// <remarks><see cref="MySqlConnectionStringBuilder.SslMode"/> must be set to <see cref="MySqlSslMode.Preferred"/>
+	/// or <see cref="MySqlSslMode.Required"/> in order for this delegate to be invoked. See the documentation for
+	/// <see cref="RemoteCertificateValidationCallback"/> for more information on the values passed to this delegate.</remarks>
+	public RemoteCertificateValidationCallback? RemoteCertificateValidationCallback { get; set; }
+
 	/// <summary>
 	/// Clears the connection pool that <paramref name="connection"/> belongs to.
 	/// </summary>

src/MySqlConnector/Core/ServerSession.cs

@@ -192,6 +192,27 @@ public async Task ConnectSslBadCaCertificate()
 		await Assert.ThrowsAsync<MySqlException>(async () => await connection.OpenAsync());
 	}
 
+#if !BASELINE
+	[SkippableTheory(ServerFeatures.KnownCertificateAuthority, ConfigSettings.RequiresSsl)]
+	[InlineData(MySqlSslMode.VerifyCA, false, false)]
+	[InlineData(MySqlSslMode.Required, false, false)]
+	[InlineData(MySqlSslMode.Required, true, true)]
+	public async Task ConnectSslRemoteCertificateValidationCallback(MySqlSslMode sslMode, bool clearCA, bool expectedSuccess)
+	{
+		var csb = AppConfig.CreateConnectionStringBuilder();
+		csb.CertificateFile = Path.Combine(AppConfig.CertsPath, "ssl-client.pfx");
+		csb.SslMode = sslMode;
+		csb.SslCa = clearCA ? Path.Combine(AppConfig.CertsPath, "non-ca-client-cert.pem") : "";
+		using var connection = new MySqlConnection(csb.ConnectionString);
+		connection.RemoteCertificateValidationCallback = (s, c, h, e) => true;
+
+		if (expectedSuccess)
+			await connection.OpenAsync();
+		else
+			await Assert.ThrowsAsync<MySqlException>(async () => await connection.OpenAsync());
+	}
+#endif
+
 	[SkippableFact(ConfigSettings.RequiresSsl)]
 	public async Task ConnectSslTlsVersion()
 	{