OSX Https certificate callbacks don't work

[mconnew]

There was a change in .Net Core 2.0 for HttpClient on OSX which disabled using certificate validation callbacks. As WCF always sets a callback, all https requests will fail on OSX. We can add some workarounds to WCF to enable some scenarios. For OSX only, we need to have the following behaviors for each of the possible X509CertificateValidationMode values:

X509CertificateValidationMode	Behavior
None	Use the special callback handler HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
PeerTrust	Throw PlatformNotSupportedException. I think we already do for other reasons
ChainTrust	Set no callback as the default behavior is chain trust
PeerOrChainTrust	Throw PlatformNotSupportedException. I think we already do for other reasons
Custom	Throw PlatformNotSupportedException

[atanasa]

Is there some workaround for OSX and .Net Core 2.0? This sounds like WCF would not work on OSX at all.

[mconnew]

@atanasa, if you leave ClientCredentials.ServiceCertificate.SslCertificateAuthentication as the default null value, then WCF won't attempt to install a custom certificate validation callback. Your service certificate will then be validated using the default chain validation that the OS performs.
If you need custom certificate validation, then you can install a version of libcurl on your machine which is compiled/configured to use OpenSsl (which you might also need to install). Then I believe HttpClient will allow usage of a certificate validation callback. There should hopefully be better news for the next release as a fully managed implementation of HttpClient should be ready which won't have this limitation.

[mconnew]

The new SocketsHttpHandler should address this. Unfortunately our tests are currently failing due to an infrastructure issue so leaving open until we can have passing tests after the infrastructure issue is resolved.