Skip to content

[OTLP] refactor: trust custom CA only #6804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rajkumar-rangaraj merged 1 commit into from
Jan 8, 2026
Merged

[OTLP] refactor: trust custom CA only #6804

rajkumar-rangaraj merged 1 commit into from
Jan 8, 2026

Conversation

@sandy2008
Copy link
Member

@sandy2008 sandy2008 commented Jan 1, 2026

Fixes #6800
Design discussion issue #6800

Changes

  • Enforce custom CA pinning even when system trust succeeds by always building the chain against the provided CA.
  • Add a regression test that ensures a mismatched CA is rejected even if SslPolicyErrors.None.

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

@sandy2008 sandy2008 requested a review from a team as a code owner January 1, 2026 11:27
@github-actions github-actions bot added the pkg:OpenTelemetry.Exporter.OpenTelemetryProtocol Issues related to OpenTelemetry.Exporter.OpenTelemetryProtocol NuGet package label Jan 1, 2026
@sandy2008 sandy2008 mentioned this pull request Jan 1, 2026
Closed
@sandy2008
Copy link
Member Author

sandy2008 commented Jan 1, 2026

@rajkumar-rangaraj Please review! #6804

@codecov
Copy link

codecov bot commented Jan 1, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 84.61538% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.85%. Comparing base (866e218) to head (fc6bba5).
⚠️ Report is 7 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...yProtocol/Implementation/OtlpCertificateManager.cs 84.61% 4 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6804      +/-   ##
==========================================
- Coverage   86.88%   86.85%   -0.03%     
==========================================
  Files         262      262              
  Lines       12350    12355       +5     
==========================================
+ Hits        10730    10731       +1     
- Misses       1620     1624       +4
Flag Coverage Δ
unittests-Project-Experimental 86.76% <84.61%> (-0.11%) ⬇️
unittests-Project-Stable 86.64% <84.61%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...yProtocol/Implementation/OtlpCertificateManager.cs 73.91% <84.61%> (-2.03%) ⬇️

... and 2 files with indirect coverage changes

@sandy2008 sandy2008 mentioned this pull request Jan 1, 2026
Merged
4 tasks
@sandy2008 sandy2008 changed the title [OTLP] refactor: improve server certificate validation logic and add unit test for CA mismatch [OTLP] refactor: trust custom CA only Jan 2, 2026
rajkumar-rangaraj
rajkumar-rangaraj approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@rajkumar-rangaraj rajkumar-rangaraj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rajkumar-rangaraj rajkumar-rangaraj added this pull request to the merge queue Jan 8, 2026
Merged via the queue into open-telemetry:main with commit 3ec29e7 Jan 8, 2026
54 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 8, 2026

Thank you for your contribution @sandy2008! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey.

@sandy2008 sandy2008 mentioned this pull request Jan 13, 2026
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rajkumar-rangaraj rajkumar-rangaraj rajkumar-rangaraj approved these changes

Assignees

No one assigned

Labels

pkg:OpenTelemetry.Exporter.OpenTelemetryProtocol Issues related to OpenTelemetry.Exporter.OpenTelemetryProtocol NuGet package ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug] Custom CA validation bypassed when system trust succeeds in ValidateServerCertificate

2 participants

@sandy2008 @rajkumar-rangaraj