* Add ITlsSettings interface

* Add `TlsSettings` class
* Pass TLS settings to Amqp ConnectionFactory
* Ensure test passes

Author: lukebakken

RabbitMQ.AMQP.Client/IConnectionSettings.cs

@@ -1,3 +1,7 @@
+using System.Net.Security;
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+
 namespace RabbitMQ.AMQP.Client;
 
 public interface IConnectionSettings : IEquatable<IConnectionSettings>
@@ -11,4 +15,36 @@ public interface IConnectionSettings : IEquatable<IConnectionSettings>
     string ConnectionName { get; }
     string Path { get; }
     bool UseSsl { get; }
+    ITlsSettings? TlsSettings { get; }
+}
+
+/// <summary>
+/// Contains the TLS/SSL settings for a connection.
+/// </summary>
+public interface ITlsSettings
+{
+    /// <summary>
+    /// Client certificates to use for mutual authentication.
+    /// </summary>
+    X509CertificateCollection ClientCertificates { get; }
+
+    /// <summary>
+    /// Supported protocols to use.
+    /// </summary>
+    SslProtocols Protocols { get; }
+
+    /// <summary>
+    /// Specifies whether certificate revocation should be performed during handshake.
+    /// </summary>
+    bool CheckCertificateRevocation { get; }
+
+    /// <summary>
+    /// Gets or sets a certificate validation callback to validate remote certificate.
+    /// </summary>
+    RemoteCertificateValidationCallback? RemoteCertificateValidationCallback { get; }
+
+    /// <summary>
+    /// Gets or sets a local certificate selection callback to select the certificate which should be used for authentication.
+    /// </summary>
+    LocalCertificateSelectionCallback? LocalCertificateSelectionCallback { get; }
 }

RabbitMQ.AMQP.Client/ILifeCycle.cs

@@ -9,7 +9,6 @@ public enum State
     Closed,
 }
 
-
 public class Error(string? errorCode, string? description)
 {
     public string? Description { get; } = description;
@@ -21,15 +20,13 @@ public override string ToString()
     }
 }
 
-
-
 public delegate void LifeCycleCallBack(object sender, State previousState, State currentState, Error? failureCause);
 
 public interface ILifeCycle
 {
     Task CloseAsync();
-    
+
     public State State { get; }
-    
+
     event LifeCycleCallBack ChangeState;
 }

RabbitMQ.AMQP.Client/Impl/AmqpConnection.cs

@@ -162,6 +162,27 @@ void onOpened(Amqp.IConnection connection, Open open1)
 
             var cf = new ConnectionFactory();
 
+            if (_connectionSettings.UseSsl && _connectionSettings.TlsSettings is not null)
+            {
+                cf.SSL.Protocols = _connectionSettings.TlsSettings.Protocols;
+                cf.SSL.CheckCertificateRevocation = _connectionSettings.TlsSettings.CheckCertificateRevocation;
+
+                if (_connectionSettings.TlsSettings.ClientCertificates.Count > 0)
+                {
+                    cf.SSL.ClientCertificates = _connectionSettings.TlsSettings.ClientCertificates;
+                }
+
+                if (_connectionSettings.TlsSettings.LocalCertificateSelectionCallback is not null)
+                {
+                    cf.SSL.LocalCertificateSelectionCallback = _connectionSettings.TlsSettings.LocalCertificateSelectionCallback;
+                }
+
+                if (_connectionSettings.TlsSettings.RemoteCertificateValidationCallback is not null)
+                {
+                    cf.SSL.RemoteCertificateValidationCallback = _connectionSettings.TlsSettings.RemoteCertificateValidationCallback;
+                }
+            }
+
             try
             {
                 _nativeConnection = await cf.CreateAsync(_connectionSettings.Address, open: open, onOpened: onOpened)

RabbitMQ.AMQP.Client/Impl/ConnectionSettings.cs

@@ -1,4 +1,7 @@
-using Amqp;
+using System.Net.Security;
+using System.Security.Authentication;
+using System.Security.Cryptography.X509Certificates;
+using Amqp;
 
 namespace RabbitMQ.AMQP.Client.Impl;
 
@@ -95,21 +98,35 @@ public class ConnectionSettings : IConnectionSettings
     private readonly Address _address;
     private readonly string _connectionName = "";
     private readonly string _virtualHost = "/";
+    private readonly ITlsSettings? _tlsSettings;
 
-    public ConnectionSettings(string address)
+    public ConnectionSettings(string address, ITlsSettings? tlsSettings = null)
     {
         _address = new Address(address);
+        _tlsSettings = tlsSettings;
+
+        if (_address.UseSsl && _tlsSettings == null)
+        {
+            _tlsSettings = new TlsSettings();
+        }
     }
 
     public ConnectionSettings(string host, int port,
         string user, string password,
-        string virtualHost, string scheme, string connectionName)
+        string virtualHost, string scheme, string connectionName,
+        ITlsSettings? tlsSettings = null)
     {
         _address = new Address(host: host, port: port,
             user: user, password: password,
             path: "/", scheme: scheme);
         _connectionName = connectionName;
         _virtualHost = virtualHost;
+        _tlsSettings = tlsSettings;
+
+        if (_address.UseSsl && _tlsSettings == null)
+        {
+            _tlsSettings = new TlsSettings();
+        }
     }
 
     public string Host => _address.Host;
@@ -122,6 +139,8 @@ public ConnectionSettings(string host, int port,
     public string Path => _address.Path;
     public bool UseSsl => _address.UseSsl;
 
+    public ITlsSettings? TlsSettings => _tlsSettings;
+
     public override string ToString()
     {
         return
@@ -307,3 +326,44 @@ public override string ToString()
         return $"BackOffDelayPolicy{{ Attempt={_attempt}, TotalAttempt={_totalAttempt}, IsActive={IsActive} }}";
     }
 }
+
+public class TlsSettings : ITlsSettings
+{
+    internal const SslProtocols DefaultSslProtocols = SslProtocols.None;
+
+    private readonly SslProtocols _protocols;
+    private readonly X509CertificateCollection _clientCertificates;
+    private readonly bool _checkCertificateRevocation = false;
+    private readonly RemoteCertificateValidationCallback? _remoteCertificateValidationCallback;
+    private readonly LocalCertificateSelectionCallback? _localCertificateSelectionCallback;
+
+    public TlsSettings() : this(DefaultSslProtocols)
+    {
+    }
+
+    public TlsSettings(SslProtocols protocols)
+    {
+        _protocols = protocols;
+        _clientCertificates = new X509CertificateCollection();
+        _remoteCertificateValidationCallback = trustEverythingCertValidationCallback;
+        _localCertificateSelectionCallback = null;
+    }
+
+    public SslProtocols Protocols => _protocols;
+
+    public X509CertificateCollection ClientCertificates => _clientCertificates;
+
+    public bool CheckCertificateRevocation => _checkCertificateRevocation;
+
+    public RemoteCertificateValidationCallback? RemoteCertificateValidationCallback
+        => _remoteCertificateValidationCallback;
+
+    public LocalCertificateSelectionCallback? LocalCertificateSelectionCallback
+        => _localCertificateSelectionCallback;
+
+    private static bool trustEverythingCertValidationCallback(object sender, X509Certificate? certificate,
+        X509Chain? chain, SslPolicyErrors sslPolicyErrors)
+    {
+        return true;
+    }
+}