Add option to HttpClientHandler to validate certificates against custom root certificate authorities

[rolftimmermans]

To validate a server certificate against a set of root certificates (instead of the system certificates), we are now limited to using ServerCertificateCustomValidationCallback. Unfortunately this callback does not work on all systems due to incompatibilities described in #17723, and it seems there are some blockers to fixing them on some platforms.

It may be easier for users to just be able to provide a file path to a set of root certificates (encoded as PEM), or have another API to provide custom root certificates to use for validation instead of the system root certificates.

One idea suggested in https://github.com/dotnet/corefx/issues/9728#issuecomment-297201090 is:

httpHandler.ServerCertificateRootCaFile = "/.../ca.pem";

Another option would be to provide custom instances of X509Certificate2.

[karelz]

Can you please summarize the API shape? (see API review - esp. sample)

[karelz]

Also more comments on scenarios, how common they are and workarounds ... - see https://github.com/dotnet/corefx/issues/9728#issuecomment-297118858

[rolftimmermans]

Some suggestions:

Option 1: Provide the path to a PEM-encoded certificate bundle (example file: https://curl.haxx.se/ca/cacert-2017-01-18.pem)

var handler = new HttpClientHandler();

/* Do not validate against system roots.
   If true (default), use both system & custom roots. */
handler.UseSystemRootCertificates = false; 

/* Validate against certificates in provided bundle. */
handler.CustomRootCertificateBundlePath = "ca.pem"; 

Option 2: Allow adding to a list of X509Certificate2 root certificates.

var handler = new HttpClientHandler();
var myCaCert = new X509Certificate2(certBuffer);

/* Do not validate against system roots.
   If true (default), use both system & custom roots. */
handler.UseSystemRootCertificates = false; 

/* Validate against certificates in IList (or something similar). */
handler.CustomRootCertificates.Add(myCaCert) 

[davidsh]

To validate a server certificate against a set of root certificates (instead of the system certificates), we are now limited to using ServerCertificateCustomValidationCallback. Unfortunately this callback does not work on all systems due to incompatibilities described in #17723, and it seems there are some blockers to fixing them on some platforms.

From an API perspective, the ServerCertificateCustomValidationCallback is all you need. It allows for complete custom validation using whatever criteria you want.

The problem being described is an implementation issue with how it works...it is not a problem with the API design itself. Adding another API as suggested above is trying to solve an implementation problem, not an API design problem.

cc: @terrajobst

[karelz]

.NET Core 2.1 ships by default with SocketsHttpHandler which enables ServerCertificateCustomValidationCallback on all platforms. We should not need a new API to work around the platform limitations anymore.