npgsql
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.cs‎
Lines changed: 72 additions & 34 deletions b/‎src/Npgsql/Internal/NpgsqlConnector.cs‎
Lines changed: 72 additions & 34 deletions
diff --git a/‎src/Npgsql/Internal/TransportSecurityHandler.cs‎
Lines changed: 4 additions & 3 deletions b/‎src/Npgsql/Internal/TransportSecurityHandler.cs‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎src/Npgsql/NpgsqlConnection.cs‎
Lines changed: 17 additions & 7 deletions b/‎src/Npgsql/NpgsqlConnection.cs‎
Lines changed: 17 additions & 7 deletions
diff --git a/‎src/Npgsql/NpgsqlDataSource.cs‎
Lines changed: 3 additions & 4 deletions b/‎src/Npgsql/NpgsqlDataSource.cs‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/Npgsql/NpgsqlDataSourceBuilder.cs‎
Lines changed: 20 additions & 0 deletions b/‎src/Npgsql/NpgsqlDataSourceBuilder.cs‎
Lines changed: 20 additions & 0 deletions
@@ -55,8 +55,8 @@ public sealed partial class NpgsqlConnector
     /// </summary>
     public NpgsqlConnectionStringBuilder Settings { get; }
 
-    Action<X509CertificateCollection>? ClientCertificatesCallback { get; }
-    RemoteCertificateValidationCallback? UserCertificateValidationCallback { get; }
+    Action<SslClientAuthenticationOptions>? SslClientAuthenticationOptionsCallback { get; }
+
 #pragma warning disable CS0618 // ProvidePasswordCallback is obsolete
     ProvidePasswordCallback? ProvidePasswordCallback { get; }
 #pragma warning restore CS0618
@@ -282,7 +282,11 @@ internal bool PostgresCancellationPerformed
     internal bool AttemptPostgresCancellation { get; private set; }
     static readonly TimeSpan _cancelImmediatelyTimeout = TimeSpan.FromMilliseconds(-1);
 
+#pragma warning disable CA1859
+    // We're casting to IDisposable to not explicitly reference X509Certificate2 for NativeAOT
+    // TODO: probably pointless now, needs to be rechecked
     IDisposable? _certificate;
+#pragma warning restore CA1859
 
     internal NpgsqlLoggingConfiguration LoggingConfiguration { get; }
 
@@ -337,21 +341,42 @@ internal bool PostgresCancellationPerformed
     internal NpgsqlConnector(NpgsqlDataSource dataSource, NpgsqlConnection conn)
         : this(dataSource)
     {
-        if (conn.ProvideClientCertificatesCallback is not null)
-            ClientCertificatesCallback = certs => conn.ProvideClientCertificatesCallback(certs);
-        if (conn.UserCertificateValidationCallback is not null)
-            UserCertificateValidationCallback = conn.UserCertificateValidationCallback;
-
+        var sslClientAuthenticationOptionsCallback = conn.SslClientAuthenticationOptionsCallback;
 #pragma warning disable CS0618 // Obsolete
+        var provideClientCertificatesCallback = conn.ProvideClientCertificatesCallback;
+        var userCertificateValidationCallback = conn.UserCertificateValidationCallback;
+        if (provideClientCertificatesCallback is not null ||
+            userCertificateValidationCallback is not null)
+        {
+            if (sslClientAuthenticationOptionsCallback is not null)
+                throw new NotSupportedException(NpgsqlStrings.SslClientAuthenticationOptionsCallbackWithOtherCallbacksNotSupported);
+
+            sslClientAuthenticationOptionsCallback = options =>
+            {
+                if (provideClientCertificatesCallback is not null)
+                {
+                    options.ClientCertificates ??= new X509Certificate2Collection();
+                    provideClientCertificatesCallback.Invoke(options.ClientCertificates);
+                }
+
+                if (userCertificateValidationCallback is not null)
+                {
+                    options.RemoteCertificateValidationCallback = userCertificateValidationCallback;
+                }
+            };
+        }
+
+        if (sslClientAuthenticationOptionsCallback is not null)
+            SslClientAuthenticationOptionsCallback = sslClientAuthenticationOptionsCallback;
+
         ProvidePasswordCallback = conn.ProvidePasswordCallback;
 #pragma warning restore CS0618
     }
 
     NpgsqlConnector(NpgsqlConnector connector)
         : this(connector.DataSource)
     {
-        ClientCertificatesCallback = connector.ClientCertificatesCallback;
-        UserCertificateValidationCallback = connector.UserCertificateValidationCallback;
+        SslClientAuthenticationOptionsCallback = connector.SslClientAuthenticationOptionsCallback;
         ProvidePasswordCallback = connector.ProvidePasswordCallback;
     }
 
@@ -367,8 +392,7 @@ internal NpgsqlConnector(NpgsqlDataSource dataSource, NpgsqlConnection conn)
         TransactionLogger = LoggingConfiguration.TransactionLogger;
         CopyLogger = LoggingConfiguration.CopyLogger;
 
-        ClientCertificatesCallback = dataSource.ClientCertificatesCallback;
-        UserCertificateValidationCallback = dataSource.UserCertificateValidationCallback;
+        SslClientAuthenticationOptionsCallback = dataSource.SslClientAuthenticationOptionsCallback;
 
 #if NET7_0_OR_GREATER
         NegotiateOptionsCallback = dataSource.Configuration.NegotiateOptionsCallback;
@@ -777,7 +801,7 @@ async Task RawOpen(SslMode sslMode, NpgsqlTimeout timeout, bool async, Cancellat
                         throw new NpgsqlException("SSL connection requested. No SSL enabled connection from this host is configured.");
                     break;
                 case 'S':
-                    await DataSource.TransportSecurityHandler.NegotiateEncryption(async, this, sslMode, timeout).ConfigureAwait(false);
+                    await DataSource.TransportSecurityHandler.NegotiateEncryption(async, this, sslMode, timeout, cancellationToken).ConfigureAwait(false);
                     break;
                 }
 
@@ -802,7 +826,7 @@ async Task RawOpen(SslMode sslMode, NpgsqlTimeout timeout, bool async, Cancellat
         }
     }
 
-    internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout, bool async)
+    internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout, bool async, CancellationToken cancellationToken)
     {
         var clientCertificates = new X509Certificate2Collection();
         var certPath = Settings.SslCertificate ?? PostgresEnvironment.SslCert ?? PostgresEnvironment.SslCertDefault;
@@ -812,7 +836,7 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
             var password = Settings.SslPassword;
 
             X509Certificate2? cert = null;
-            if (Path.GetExtension(certPath).ToUpperInvariant() != ".PFX")
+            if (!string.Equals(Path.GetExtension(certPath), ".pfx", StringComparison.OrdinalIgnoreCase))
             {
                 // It's PEM time
                 var keyPath = Settings.SslKey ?? PostgresEnvironment.SslKey ?? PostgresEnvironment.SslKeyDefault;
@@ -836,28 +860,13 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
 
         try
         {
-            ClientCertificatesCallback?.Invoke(clientCertificates);
-
             var checkCertificateRevocation = Settings.CheckCertificateRevocation;
 
             RemoteCertificateValidationCallback? certificateValidationCallback;
             X509Certificate2? caCert;
             string? certRootPath = null;
 
-            if (UserCertificateValidationCallback is not null)
-            {
-                if (sslMode is SslMode.VerifyCA or SslMode.VerifyFull)
-                    throw new ArgumentException(string.Format(NpgsqlStrings.CannotUseSslVerifyWithUserCallback, sslMode));
-
-                if (Settings.RootCertificate is not null)
-                    throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithUserCallback);
-
-                if (DataSource.TransportSecurityHandler.RootCertificateCallback is not null)
-                    throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithUserCallback);
-
-                certificateValidationCallback = UserCertificateValidationCallback;
-            }
-            else if (sslMode is SslMode.Prefer or SslMode.Require)
+            if (sslMode is SslMode.Prefer or SslMode.Require)
             {
                 certificateValidationCallback = SslTrustServerValidation;
                 checkCertificateRevocation = false;
@@ -892,19 +901,48 @@ internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout,
 
             timeout.CheckAndApply(this);
 
-            try
+            var sslStream = new SslStream(_stream, leaveInnerStreamOpen: false);
+
+            var sslStreamOptions = new SslClientAuthenticationOptions
+            {
+                TargetHost = host,
+                ClientCertificates = clientCertificates,
+                EnabledSslProtocols = SslProtocols.None,
+                CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.Offline,
+                RemoteCertificateValidationCallback = certificateValidationCallback
+            };
+
+            if (SslClientAuthenticationOptionsCallback is not null)
             {
-                var sslStream = new SslStream(_stream, leaveInnerStreamOpen: false, certificateValidationCallback);
+                SslClientAuthenticationOptionsCallback.Invoke(sslStreamOptions);
 
+                // User changed remote certificate validation callback
+                // Check whether the change doesn't lead to unexpected behavior
+                if (sslStreamOptions.RemoteCertificateValidationCallback != certificateValidationCallback)
+                {
+                    if (sslMode is SslMode.VerifyCA or SslMode.VerifyFull)
+                        throw new ArgumentException(string.Format(NpgsqlStrings.CannotUseSslVerifyWithCustomValidationCallback, sslMode));
+
+                    if (Settings.RootCertificate is not null)
+                        throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithCustomValidationCallback);
+
+                    if (DataSource.TransportSecurityHandler.RootCertificateCallback is not null)
+                        throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithCustomValidationCallback);
+                }
+            }
+
+            try
+            {
                 if (async)
-                    await sslStream.AuthenticateAsClientAsync(host, clientCertificates, SslProtocols.None, checkCertificateRevocation).ConfigureAwait(false);
+                    await sslStream.AuthenticateAsClientAsync(sslStreamOptions, cancellationToken).ConfigureAwait(false);
                 else
-                    sslStream.AuthenticateAsClient(host, clientCertificates, SslProtocols.None, checkCertificateRevocation);
+                    sslStream.AuthenticateAsClient(sslStreamOptions);
 
                 _stream = sslStream;
             }
             catch (Exception e)
             {
+                sslStream.Dispose();
                 throw new NpgsqlException("Exception while performing SSL handshake", e);
             }
 
 
@@ -1,5 +1,6 @@
 using System;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
 using System.Threading.Tasks;
 using Npgsql.Properties;
 using Npgsql.Util;
@@ -16,7 +17,7 @@ public virtual Func<X509Certificate2?>? RootCertificateCallback
         set => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));
     }
 
-    public virtual Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout)
+    public virtual Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout, CancellationToken cancellationToken)
         => throw new NotSupportedException(string.Format(NpgsqlStrings.TransportSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableTransportSecurity)));
 
     public virtual void AuthenticateSASLSha256Plus(NpgsqlConnector connector, ref string mechanism, ref string cbindFlag, ref string cbind,
@@ -30,8 +31,8 @@ sealed class RealTransportSecurityHandler : TransportSecurityHandler
 
     public override Func<X509Certificate2?>? RootCertificateCallback { get; set; }
 
-    public override Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout)
-        => connector.NegotiateEncryption(sslMode, timeout, async);
+    public override Task NegotiateEncryption(bool async, NpgsqlConnector connector, SslMode sslMode, NpgsqlTimeout timeout, CancellationToken cancellationToken)
+        => connector.NegotiateEncryption(sslMode, timeout, async, cancellationToken);
 
     public override void AuthenticateSASLSha256Plus(NpgsqlConnector connector, ref string mechanism, ref string cbindFlag, ref string cbind,
             ref bool successfulBind)
 
@@ -1017,6 +1017,7 @@ internal void OnNotification(NpgsqlNotificationEventArgs e)
     /// <remarks>
     /// See <see href="https://msdn.microsoft.com/en-us/library/system.net.security.localcertificateselectioncallback(v=vs.110).aspx"/>
     /// </remarks>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public ProvideClientCertificatesCallback? ProvideClientCertificatesCallback { get; set; }
 
     /// <summary>
@@ -1032,8 +1033,19 @@ internal void OnNotification(NpgsqlNotificationEventArgs e)
     /// See <see href="https://msdn.microsoft.com/en-us/library/system.net.security.remotecertificatevalidationcallback(v=vs.110).aspx"/>.
     /// </para>
     /// </remarks>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public RemoteCertificateValidationCallback? UserCertificateValidationCallback { get; set; }
 
+    /// <summary>
+    /// When using SSL/TLS, this is a callback that allows customizing SslStream's authentication options.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// See <see href="https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslclientauthenticationoptions?view=net-8.0"/>.
+    /// </para>
+    /// </remarks>
+    public Action<SslClientAuthenticationOptions>? SslClientAuthenticationOptionsCallback { get; set; }
+
     #endregion SSL
 
     #region Backend version, capabilities, settings
@@ -1747,9 +1759,10 @@ object ICloneable.Clone()
             ? _cloningInstantiator!(_connectionString)
             : _dataSource.CreateConnection();
 
+        conn.SslClientAuthenticationOptionsCallback = SslClientAuthenticationOptionsCallback;
+#pragma warning disable CS0618 // Obsolete
         conn.ProvideClientCertificatesCallback = ProvideClientCertificatesCallback;
         conn.UserCertificateValidationCallback = UserCertificateValidationCallback;
-#pragma warning disable CS0618 // Obsolete
         conn.ProvidePasswordCallback = ProvidePasswordCallback;
 #pragma warning restore CS0618
         conn._userFacingConnectionString = _userFacingConnectionString;
@@ -1773,13 +1786,10 @@ public NpgsqlConnection CloneWith(string connectionString)
 
         return new NpgsqlConnection(csb.ToString())
         {
-            ProvideClientCertificatesCallback =
-                ProvideClientCertificatesCallback ??
-                (_dataSource?.ClientCertificatesCallback is { } clientCertificatesCallback
-                    ? (ProvideClientCertificatesCallback)(certs => clientCertificatesCallback(certs))
-                    : null),
-            UserCertificateValidationCallback = UserCertificateValidationCallback ?? _dataSource?.UserCertificateValidationCallback,
+            SslClientAuthenticationOptionsCallback = SslClientAuthenticationOptionsCallback ?? _dataSource?.SslClientAuthenticationOptionsCallback,
 #pragma warning disable CS0618 // Obsolete
+            ProvideClientCertificatesCallback = ProvideClientCertificatesCallback,
+            UserCertificateValidationCallback = UserCertificateValidationCallback,
             ProvidePasswordCallback = ProvidePasswordCallback,
 #pragma warning restore CS0618
         };
 
@@ -40,8 +40,8 @@ public abstract class NpgsqlDataSource : DbDataSource
     internal NpgsqlDatabaseInfo DatabaseInfo { get; private set; } = null!; // Initialized at bootstrapping
 
     internal TransportSecurityHandler TransportSecurityHandler { get; }
-    internal RemoteCertificateValidationCallback? UserCertificateValidationCallback { get; }
-    internal Action<X509CertificateCollection>? ClientCertificatesCallback { get; }
+
+    internal Action<SslClientAuthenticationOptions>? SslClientAuthenticationOptionsCallback { get; }
 
     readonly Func<NpgsqlConnectionStringBuilder, string>? _passwordProvider;
     readonly Func<NpgsqlConnectionStringBuilder, CancellationToken, ValueTask<string>>? _passwordProviderAsync;
@@ -98,8 +98,7 @@ internal NpgsqlDataSource(
                 LoggingConfiguration,
                 TransportSecurityHandler,
                 IntegratedSecurityHandler,
-                UserCertificateValidationCallback,
-                ClientCertificatesCallback,
+                SslClientAuthenticationOptionsCallback,
                 _passwordProvider,
                 _passwordProviderAsync,
                 _periodicPasswordProvider,
 
@@ -194,6 +194,7 @@ public NpgsqlDataSourceBuilder EnableUnmappedTypes()
     /// </para>
     /// </remarks>
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public NpgsqlDataSourceBuilder UseUserCertificateValidationCallback(RemoteCertificateValidationCallback userCertificateValidationCallback)
     {
         _internalBuilder.UseUserCertificateValidationCallback(userCertificateValidationCallback);
@@ -205,6 +206,7 @@ public NpgsqlDataSourceBuilder UseUserCertificateValidationCallback(RemoteCertif
     /// </summary>
     /// <param name="clientCertificate">The client certificate to be sent to PostgreSQL when opening a connection.</param>
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public NpgsqlDataSourceBuilder UseClientCertificate(X509Certificate? clientCertificate)
     {
         _internalBuilder.UseClientCertificate(clientCertificate);
@@ -216,12 +218,29 @@ public NpgsqlDataSourceBuilder UseClientCertificate(X509Certificate? clientCerti
     /// </summary>
     /// <param name="clientCertificates">The client certificate collection to be sent to PostgreSQL when opening a connection.</param>
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public NpgsqlDataSourceBuilder UseClientCertificates(X509CertificateCollection? clientCertificates)
     {
         _internalBuilder.UseClientCertificates(clientCertificates);
         return this;
     }
 
+    /// <summary>
+    /// When using SSL/TLS, this is a callback that allows customizing SslStream's authentication options.
+    /// </summary>
+    /// <param name="sslClientAuthenticationOptionsCallback">The callback to customize SslStream's authentication options.</param>
+    /// <remarks>
+    /// <para>
+    /// See <see href="https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslclientauthenticationoptions?view=net-8.0"/>.
+    /// </para>
+    /// </remarks>
+    /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    public NpgsqlDataSourceBuilder UseSslClientAuthenticationOptionsCallback(Action<SslClientAuthenticationOptions>? sslClientAuthenticationOptionsCallback)
+    {
+        _internalBuilder.UseSslClientAuthenticationOptionsCallback(sslClientAuthenticationOptionsCallback);
+        return this;
+    }
+
     /// <summary>
     /// Specifies a callback to modify the collection of SSL/TLS client certificates which Npgsql will send to PostgreSQL for
     /// certificate-based authentication. This is an advanced API, consider using <see cref="UseClientCertificate" /> or
@@ -239,6 +258,7 @@ public NpgsqlDataSourceBuilder UseClientCertificates(X509CertificateCollection?
     /// </para>
     /// </remarks>
     /// <returns>The same builder instance so that multiple calls can be chained.</returns>
+    [Obsolete("Use UseSslClientAuthenticationOptionsCallback")]
     public NpgsqlDataSourceBuilder UseClientCertificatesCallback(Action<X509CertificateCollection>? clientCertificatesCallback)
     {
         _internalBuilder.UseClientCertificatesCallback(clientCertificatesCallback);