[OTLP] Add TLS-only support to OTLP HTTP client factory

[sandy2008]

Fixes #6764
Design discussion issue #6764

Changes

Add TLS-only support to the OTLP HTTP client factory while keeping mTLS behavior. Introduces OtlpTlsOptions, updates certificate loading/validation flow for CA-only and mTLS scenarios, and expands tests to cover TLS configuration paths.

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• Unit tests added/updated
• Appropriate CHANGELOG.md files updated for non-trivial changes
• Changes in public API reviewed (if applicable)

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.94%. Comparing base (3ec29e7) to head (eec91ea).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...tation/OpenTelemetryProtocolExporterEventSource.cs	60.00%	2 Missing ⚠️
...ocol/Implementation/OtlpSecureHttpClientFactory.cs	97.05%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6799      +/-   ##
==========================================
+ Coverage   86.86%   86.94%   +0.08%     
==========================================
  Files         262      263       +1     
  Lines       12355    12382      +27     
==========================================
+ Hits        10732    10766      +34     
+ Misses       1623     1616       -7     

Flag	Coverage Δ
unittests-Project-Experimental	86.47% <95.00%> (-0.27%)	⬇️
unittests-Project-Stable	86.72% <95.00%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...yProtocol/Implementation/OtlpCertificateManager.cs	76.81% <ø> (+2.89%)	⬆️
...orter.OpenTelemetryProtocol/OtlpExporterOptions.cs	99.27% <100.00%> (ø)
....Exporter.OpenTelemetryProtocol/OtlpMtlsOptions.cs	100.00% <100.00%> (ø)
...y.Exporter.OpenTelemetryProtocol/OtlpTlsOptions.cs	100.00% <100.00%> (ø)
...tation/OpenTelemetryProtocolExporterEventSource.cs	82.17% <60.00%> (-1.16%)	⬇️
...ocol/Implementation/OtlpSecureHttpClientFactory.cs	91.57% <97.05%> (+4.91%)	⬆️

... and 2 files with indirect coverage changes

[rajkumar-rangaraj]

@sandy2008 I have provided some important feedback. Please let me know once you have addressed these points.

[sandy2008]

@rajkumar-rangaraj Please kindly review again, tyvm! And happy new year!

[rajkumar-rangaraj]

@sandy2008 Happy new year!

One question: the CA certificate is now recreated from byte[] on every TLS callback:

using var caCert = new X509Certificate2(caCertData);

Does this create and dispose a new X509Certificate2 on every POST to the OTLP endpoint?

[sandy2008]

@sandy2008 Happy new year!

One question: the CA certificate is now recreated from byte[] on every TLS callback:

using var caCert = new X509Certificate2(caCertData);

Does this create and dispose a new X509Certificate2 on every POST to the OTLP endpoint?

Happy New Year! 🎉
The callback creates and disposes a new X509Certificate2 each time the TLS validation callback runs. That callback is invoked during the TLS handshake, so it’s per connection/handshake, not per POST if the connection is reused (HTTP/2 or keep‑alive will usually reuse connections and avoid repeated callbacks).

In short:

• New cert instance per TLS handshake.
• Not per request unless a new connection is created each time.
  Shall we change to avoid per‑handshake allocation? Maybe a safer caching strategy (e.g., copy the cert once and only dispose after handler is truly quiesced), but that re‑introduces lifetime/race complexity we were trying to avoid.

[rajkumar-rangaraj]

LGTM

One minor suggestion: consider adding a brief comment explaining why CRL/OCSP checks are skipped for custom CA validation (commit 20acada)

[sandy2008]

LGTM

One minor suggestion: consider adding a brief comment explaining why CRL/OCSP checks are skipped for custom CA validation (commit 20acada)

@rajkumar-rangaraj done!

[sandy2008]

@rajkumar-rangaraj do you think we can get it merged as well~~ Tyvm!!

[Kielek]

@sandy2008, thanks! Queued for merging.

[github-actions]

Thank you for your contribution @sandy2008! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey.

[sandy2008]

@sandy2008, thanks! Queued for merging.

Thank you very much!
@rajkumar-rangaraj @Kielek Wondering if I can add you as my sponsors for me to have OpenTelemetry membership. (https://github.com/open-telemetry/community/blob/main/guides/contributor/membership.md)

I also got open-telemetry/opentelemetry-python#4116 merged in Python (mTLS),
and also having discussions in open-telemetry/opentelemetry-specification#4580 besides the .NET things :)

[Kielek]

@sandy2008, sure, I can be one of your sponsors.

[rajkumar-rangaraj]

@sandy2008 If more sponsors are need, include me. Thanks!

[sandy2008]

@Kielek @rajkumar-rangaraj Thank you so much! I added in open-telemetry/community#3222 :)