Add support for TLS (TLS server certificate validation)

[Tyrrx]

Describe the problem to solve At the moment it is possible to use TLS with a client certificate to authenticate at a Syslog server. This is great but this just allows the server to verify the identity of the client but it does not work in the opposite direction. The client is not able to verify the identity of the server. This can be a critical security vulnerability. Mutual TLS protects against e.g. on-path attacks and spoofing attacks. For more details see e.g. What is mutual TLS (mTLS).

Describe the enhancement proposed I would say the best way to implement mTLS in a NLog Target is to provide a trusted certificate store through the config that contains all trusted root and intermediate certificates. The client then uses these trusted certificates to verify the provided TLS server certificate during client authentication. The SslStream can do this using the AuthenticateAsClient(SslClientAuthenticationOptionssslClientAuthenticationOptions) method. The RemoteCertificateValidationCallback should build the entire chain with the root certificate from the store and may also check the CRL to verify the TLS server certificate.

Describe alternatives

• The TLS server certificate verification might be configurable. E.g. flag for checking the CRL online or offline.
• It might be easier to implement the chain building by splitting the trusted certificate store into a trusted root and a trusted intermediate certificate store
• It might be easier to use Bouncy Castle libs for certificate verification instead of the .net libs (chain building and CRL)

Additional context What is mutual TLS (mTLS) X509Chain Class Bouncy Castle PkixCertPathBuilder