add TargetHostName to SslStream

[wfurt]

This exposes internal property used with SNI. This will return string.Empty if not available to be consistent with ServerCertificateSelectionCallback.

Strangely, when empty name is provided, we fabricate random name instead of skipping SNI extension. This is probably not common case so I made the property to return the fabricated name instead of empty value from SslClientAuthenticationOptions. On server, this gets name requested by client. Since the behavior above, it is not easy to construct test without SNI.

related to #37933
fixes #27619

[ghost]

Tagging subscribers to this area: @dotnet/ncl
Notify danmosemsft if you want to be subscribed.

[Dotnet-GitSync-Bot]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[stephentoub]

Strangely, when empty name is provided, we fabricate random name instead of skipping SNI extension

What kind of name do we fabricate? Can you provide an example?

[wfurt]

Strangely, when empty name is provided, we fabricate random name instead of skipping SNI extension

What kind of name do we fabricate? Can you provide an example?

Something like ?124 which looks lame to me but I don't know the history of it.

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs

Lines 70 to 73 in 3495f1a

	if (_sslAuthenticationOptions.TargetHost!.Length == 0)
	{
	_sslAuthenticationOptions.TargetHost = "?" + Interlocked.Increment(ref s_uniqueNameInteger).ToString(NumberFormatInfo.InvariantInfo);
	}

[stephentoub]

Something like ?124 which looks lame to me but I don't know the history of it.

That does look really strange. This was inherited from .NET Framework:
https://referencesource.microsoft.com/#System/net/System/Net/SecureProtocols/_SslState.cs,172
@davidsh, do you know what the purpose of this is?

[wfurt]

When no name is provided then it is harder for ssl client to verify serve's name.
But that can be handled in the callback. I did verify that the fabricated name get sent on wire as part of the ClientHello.
I did not want to make functional change in this PR but I can perhaps open new issue for investigation. I'm wondering if this was/is some limitatuon of Windows Schannel API.

[stephentoub]

We can follow-up on the strange constructed names subsequently. Is there an issue for that?

[wfurt]

We can follow-up on the strange constructed names subsequently. Is there an issue for that?

#38356