Callback to notify about channel token renewal.

Breaking change

• Based on a recent security review, the Https server endpoints enforce by request TLS mutual authentication and change behavior without.
• It is highly recommended to only use mutual TLS authentication. Some clients may not support the new scheme yet.
• A new configuration variable
  <httpsmutualtls>true</httpsmutualtls> enables or disables the mutual TLS authentication support (default: true).

The behavior of the https TLS endpoint changes according to the following settings:

HttpsMutualTls is true

• The server checks the trust on the certificate which is used by the client for TLS authentication. It must be a valid OPC UA application certificate which is trusted.
• A client can still connect without providing a client certificate, but then it is only able to call discovery services.
• In order to create a session, the client must use the same application certificate that was used for the TLS channel.

HttpsMutualTls is false

• There is no application authentication. The server endpoint uses security None and there is no client application authentication.
• Instead, only user authentication is used to secure the server, anonymous user authentication is disabled.
• Discovery service calls are supported.

Enhancements

• Supports native .NET 9 assemblies. A new X509CertificateLoader was introduced for older .NET versions to keep the code readable without ifdef.
• Server GDS Push CreateSigningRequest supports regeneration of the public/private key pair. by @romanett.
• Callback to notify about channel token renewal.
• Server detection algorithm for clients which try to exploit the known Basic128Rsa15 vulnerability.

Bug fixes

• Client ReadNodes throws an BadInvalidType if a value type returns null.
• Client reading of large dictionaries is split in chunks. by @ThomasNehring.
• Mixed opc.https and https endpoint prevent a server from starting up .
• Server endpoint certificates were not updated after GDS Push UpdateCertificate. by @romanett.
• Event reports ignore session context. by @Filippo-Oliva-ABB.
• Accept namespace Uri which are not well formed. Stricter handling was added in previous release, but for IOP is again relaxed.
• Reading complex types from a server could cause a null pointer exception in BinaryDecoder. by @marcschier.
• Reading operation limits could cause an exception (thus operation limits were ignored).
• CRL with invalid content could cause exception when reading property with lazy decoding, decode CRL always when constructore is called to catch issues early.
• Channel token HMAC references were not disposed after a channel renew.
• Allow decoding of extension objects which set the length to -1.
• Fix for CauseMappings and bug in ConditionRefresh/2 by @Archie-Miller

What's Changed

• Bump Serilog and System.Diagnostics.DiagnosticSource by @dependabot in #2780
• Update CauseMappings to support transitions correctly by @Archie-Miller #2877
• ConditionRefreshAsync always results in BadNodeIdUnknown by @Archie-Miller #2876
• [Server] GDS Push: Enable regeneratePrivatekey for CreateSigningRequest method of Server by @romanett in #2778
• Client ReadNodes, throw BadInvalidType if a value type returned by an attribute is null by @mregen in #2746
• [Client] Read large dictionaries by @ThomasNehring in #2782
• Server doesn't start up with mixed https endpoints by @mregen in #2789
• #2777 Fix for - MonitoredItem2.OnReportEvent Ignores Session in ISystemContext During Notification Process by @Filippo-Oliva-ABB in #2779
• [Server] update endpoint descriptions after certificate update by @romanett in #2735
• Moved the modified reference server from the unit test to its own file by @ThomasNehring in #2725
• #2656 Fix for - Session is not provided by ClearChangeMasks when a change is notified by @Filippo-Oliva-ABB in #2772
• Revert "#2656 Fix for - Session is not provided by ClearChangeMasks w… by @mregen in #2792
• Fix ExpandedNodeId.Format output for not well formed uri and JSON Verbose WriteStatusCode by @mregen in #2794
• Null pointer exception when reading a complex type from umati server.… by @marcschier in #2798
• Add ReturnDiagnostics to Session Constructor by @romanett in #2810
• IOP: Fix FetchOperationLimits for some use cases by @mregen in #2807
• Update version.json to allow preview builds from develop by @mregen in #2813
• Fix bugs in JSON decoder by @mregen in #2828
• Update brokerHostName before MqttClientOptionsBuilder uses it's value by @mrsuciu in #2830
• Improve crl handling in certificate stores by @romanett in #2829
• Using Uri.TryCreate causes regression with namespace uri that use mixed lower/uppercase letters in the of the Uri. by @KircMax in #2837
• ChannelToken: Dispose HMAC and improve lifetime calculations. by @mregen in #2846
• Added a minimal rogue client detection mechanism at the transport level by @mrsuciu in #2850
• ValidateRolePermissions for MIs montioring the Value of a Node by @romanett in #2809
• [Server] ValidateRolePermissions of MonitoredItems based of the saved user identity to allow validation when no session is present by @romanett in #2832
• Support .NET 9.0 build by @mregen in #2865
• Client perf and memory improvements for JSON encoding and subscriptions by @mregen in #2864
• Register callback to notify about new channel token activation (#2872) by @marcschier in #2873
• [Client] Fix: KeepAliveInterval was not updated on ModifySubscription by @romanett in #2871
• Merge fixes from master in stable branch by @mregen in #2878
• Bump BouncyCastle.Cryptography from 2.4.0 to 2.5.0 by @mregen in #2875
• Allow decoding of extension objects for legacy devices which do not set the length by @mregen in #2869
• Enable mutual tls on server https endpoints by @mrsuciu in #2849
• fix serialization of ApplicationConfiguration /CertificateTrustList by @romanett in #2879
• Merge develop/main374 into release/1.5.374 by @mregen in #2881