From ab388363d922eb484064a3ca3c34f633c6e5cf40 Mon Sep 17 00:00:00 2001
From: Denis Olifer <just.011f@gmail.com>
Date: Sat, 7 Jan 2023 21:36:55 +0000
Subject: [PATCH] (fix #1897) : skip server SSL certs verification when
 configured

---
 .../Rest/RestService.cs                       | 32 +++++++------------
 1 file changed, 12 insertions(+), 20 deletions(-)

diff --git a/src/Confluent.SchemaRegistry/Rest/RestService.cs b/src/Confluent.SchemaRegistry/Rest/RestService.cs
index ccee8662d..824b07c3d 100644
--- a/src/Confluent.SchemaRegistry/Rest/RestService.cs
+++ b/src/Confluent.SchemaRegistry/Rest/RestService.cs
@@ -57,26 +57,14 @@ internal class RestService : IRestService
         /// <summary>
         ///     Initializes a new instance of the RestService class.
         /// </summary>
-        public RestService(string schemaRegistryUrl, int timeoutMs, IAuthenticationHeaderValueProvider authenticationHeaderValueProvider, List<X509Certificate2> certificates, bool enableSslCertificateVerification)
+        public RestService(string schemaRegistryUrl, int timeoutMs, IAuthenticationHeaderValueProvider authenticationHeaderValueProvider, List<X509Certificate2> certificates, bool enableSslCertificateVerification)
         {
             this.authenticationHeaderValueProvider = authenticationHeaderValueProvider;
 
             this.clients = schemaRegistryUrl
                 .Split(',')
-                .Select(SanitizeUri)// need http or https - use http if not present.
-                .Select(uri =>
-                {
-                    HttpClient client;
-                    if (certificates.Count > 0)
-                    {
-                        client = new HttpClient(CreateHandler(certificates, enableSslCertificateVerification)) { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
-                    }
-                    else
-                    {
-                        client = new HttpClient() { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) };
-                    }
-                    return client;
-                })
+                .Select(SanitizeUri) // need http or https - use http if not present.
+                .Select(uri => new HttpClient(CreateHandler(certificates, enableSslCertificateVerification)) { BaseAddress = new Uri(uri, UriKind.Absolute), Timeout = TimeSpan.FromMilliseconds(timeoutMs) })
                 .ToList();
         }
 
@@ -86,18 +74,22 @@ private static string SanitizeUri(string uri)
             return $"{sanitized.TrimEnd('/')}/";
         }
 
-        private static HttpClientHandler CreateHandler(List<X509Certificate2> certificates, bool enableSslCertificateVerification)
+        private static HttpClientHandler CreateHandler(List<X509Certificate2> certificates, bool enableSslCertificateVerification)
         {
-            var handler = new HttpClientHandler();
-            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
+            var handler = new HttpClientHandler();
 
             if (!enableSslCertificateVerification)
             {
                 handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, certChain, policyErrors) => { return true; };
             }
 
-            certificates.ForEach(c => handler.ClientCertificates.Add(c));
-            return handler;
+            if (certificates.Count > 0)
+            {
+                handler.ClientCertificateOptions = ClientCertificateOption.Manual;
+                certificates.ForEach(c => handler.ClientCertificates.Add(c));
+            }
+
+            return handler;
         }
 
         private RegisteredSchema SanitizeRegisteredSchema(RegisteredSchema schema)