Remove default remote certificate callback

e2e/Tests/provisioning/ProvisioningE2ETests.cs

@@ -901,14 +901,7 @@ public static ProvisioningClientOptions CreateProvisioningClientOptionsFromName(
 
                 IotHubClientMqttSettings => transportSettings.Protocol == IotHubClientTransportProtocol.Tcp
                     ? new ProvisioningClientOptions(new ProvisioningClientMqttSettings(ProvisioningClientTransportProtocol.Tcp))
-                    : new ProvisioningClientOptions(new ProvisioningClientMqttSettings(ProvisioningClientTransportProtocol.WebSocket)
-                    {
-#if NET472
-                        // MQTTNET doesn't support setting this callback on older .NET framework versions
-                        // https://github.com/dotnet/MQTTnet/blob/99f4f46062611cd08e18b82515962b69e8c619e4/Source/MQTTnet/Implementations/MqttWebSocketChannel.cs#L222
-                        RemoteCertificateValidationCallback = null,
-#endif
-                    }),
+                    : new ProvisioningClientOptions(new ProvisioningClientMqttSettings(ProvisioningClientTransportProtocol.WebSocket)),
 
                 _ => throw new NotSupportedException($"Unknown transport: '{transportSettings}'.")
             };

iothub/service/src/Http/HttpClientFactory.cs

@@ -61,13 +61,17 @@ internal static HttpClient Create(string hostName, IotHubServiceClientOptions op
             {
                 SslProtocols = options.SslProtocols,
                 CheckCertificateRevocationList = options.CertificateRevocationCheck,
-                ServerCertificateCustomValidationCallback = (httpRequest, certificate, chain, policyErrors) =>
-                {
-                    return options.RemoteCertificateValidationCallback.Invoke(httpRequest, certificate, chain, policyErrors);
-                },
             };
 #pragma warning restore CA2000 // Dispose objects before losing scope
 
+            if (options.RemoteCertificateValidationCallback != null)
+            {
+                httpMessageHandler.ServerCertificateCustomValidationCallback = (httpRequest, certificate, chain, policyErrors) =>
+                {
+                    return options.RemoteCertificateValidationCallback.Invoke(httpRequest, certificate, chain, policyErrors);
+                };
+            }
+
             if (options.Proxy != null)
             {
                 httpMessageHandler.UseProxy = true;

iothub/service/src/IotHubServiceClientOptions.cs

@@ -114,7 +114,7 @@ public sealed class IotHubServiceClientOptions
         /// does not support this feature.
         /// </para>
         /// </remarks>
-        public RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get; set; } = DefaultRemoteCertificateValidation;
+        public RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get; set; }
 
         /// <summary>
         /// Sets the retry policy used in the operation retries.
@@ -126,17 +126,6 @@ public sealed class IotHubServiceClientOptions
         /// </remarks>
         public IIotHubServiceRetryPolicy RetryPolicy { get; set; } = new IotHubServiceExponentialBackoffRetryPolicy(0, TimeSpan.FromHours(12), true);
 
-        // The default remote certificate validation callback. It returns false if any SSL level exceptions occurred
-        // during the handshake.
-        private static bool DefaultRemoteCertificateValidation(
-            object sender,
-            X509Certificate certificate,
-            X509Chain chain,
-            SslPolicyErrors sslPolicyErrors)
-        {
-            return sslPolicyErrors == SslPolicyErrors.None;
-        }
-
         internal IotHubServiceClientOptions Clone()
         {
             return new IotHubServiceClientOptions

provisioning/device/src/TransportSettings/ProvisioningClientTransportSettings.cs

@@ -88,18 +88,7 @@ public abstract class ProvisioningClientTransportSettings
         /// </para>
         /// </remarks>
         /// <seealso href="https://learn.microsoft.com/dotnet/api/system.net.websockets.clientwebsocketoptions.remotecertificatevalidationcallback"/>
-        public RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get; set; } = DefaultRemoteCertificateValidation;
-
-        // The default remote certificate validation callback. It returns false if any SSL level exceptions occurred
-        // during the handshake.
-        internal static bool DefaultRemoteCertificateValidation(
-            object sender,
-            X509Certificate certificate,
-            X509Chain chain,
-            SslPolicyErrors sslPolicyErrors)
-        {
-            return sslPolicyErrors == SslPolicyErrors.None;
-        }
+        public RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get; set; }
 
         /// <inheritdoc/>
         [EditorBrowsable(EditorBrowsableState.Never)]

provisioning/device/tests/amqp/ProvisioningClientAmqpSettingsTests.cs

@@ -45,19 +45,5 @@ public void ProvisioningClientAmqpSettings_Clone()
             amqpSettings.CertificateRevocationCheck = false;
             amqpSettings.Should().NotBeEquivalentTo(clone);
         }
-
-        [TestMethod]
-        [DataRow(SslPolicyErrors.None)]
-        [DataRow(SslPolicyErrors.RemoteCertificateNotAvailable)]
-        [DataRow(SslPolicyErrors.RemoteCertificateNameMismatch)]
-        [DataRow(SslPolicyErrors.RemoteCertificateChainErrors)]
-        public void DefaultRemoteCertificateValidation_DifferentSslPolicyErrors(SslPolicyErrors sslPolicyErrors)
-        {
-            // arrange - act
-            var validation = ProvisioningClientTransportSettings.DefaultRemoteCertificateValidation("sender", null, null, sslPolicyErrors);
-
-            // assert
-            validation.Should().Be(sslPolicyErrors == SslPolicyErrors.None);
-        }
     }
 }

provisioning/device/tests/mqtt/ProvisioningClientMqttSettingsTests.cs

@@ -48,19 +48,5 @@ public void ProvisioningClientMqttSettings_Clone()
             mqttSettings.CertificateRevocationCheck = false;
             mqttSettings.Should().NotBeEquivalentTo(clone);
         }
-
-        [TestMethod]
-        [DataRow(SslPolicyErrors.None)]
-        [DataRow(SslPolicyErrors.RemoteCertificateNotAvailable)]
-        [DataRow(SslPolicyErrors.RemoteCertificateNameMismatch)]
-        [DataRow(SslPolicyErrors.RemoteCertificateChainErrors)]
-        public void DefaultRemoteCertificateValidation_DifferentSslPolicyErrors(SslPolicyErrors sslPolicyErrors)
-        {
-            // arrange - act
-            var validation = ProvisioningClientTransportSettings.DefaultRemoteCertificateValidation("sender", null, null, sslPolicyErrors);
-
-            // assert
-            validation.Should().Be(sslPolicyErrors == SslPolicyErrors.None);
-        }
     }
 }