Namespace: System.Net.Security

SslClientAuthenticationOptions Class

Provides options for client-side SSL/TLS authentication.

Summary

The SslClientAuthenticationOptions class allows you to configure the details of the SSL/TLS handshake when acting as a client. This includes specifying certificates, supported protocols, encryption algorithms, and other security-related parameters.

When establishing a secure connection using classes like SslStream, you can pass an instance of SslClientAuthenticationOptions to customize the authentication process.

Syntax

public sealed class SslClientAuthenticationOptions

This class is sealed and cannot be inherited.

Constructors

SslClientAuthenticationOptions()

Initializes a new instance of the SslClientAuthenticationOptions class with default values.

public SslClientAuthenticationOptions();

Properties

Name Description
ClientCertificates Gets or sets a collection of client certificates to be used for authentication.
CipherSuitesPolicy Gets or sets a TlsCipherSuitesPolicy that specifies the allowed cipher suites.
EnabledSslProtocols Gets or sets the SSL/TLS protocols that are allowed for the connection.
EncryptionPolicy Gets or sets an EncryptionPolicy that specifies the encryption behavior.
TargetHost Gets or sets the target host name for the SSL/TLS handshake. This is used for certificate validation.
LocalCertificateSelectionCallback Gets or sets a delegate that is called to select the local certificate to present to the remote endpoint.
RemoteCertificateValidationCallback Gets or sets a delegate that is called to validate the remote certificate.
ApplicationProtocols Gets or sets a list of application protocols to advertise during the TLS handshake (ALPN).

Methods

This class does not expose any public methods directly for configuration, relying primarily on its properties.

Remarks

Use the properties of SslClientAuthenticationOptions to fine-tune the security parameters for client-side SSL/TLS connections. For example, you can explicitly set allowed protocols to prevent negotiation of older, less secure versions of TLS.

The TargetHost property is crucial for server name indication (SNI) and for validating that the server's certificate matches the expected host.

Customizing the RemoteCertificateValidationCallback allows for advanced certificate validation logic beyond the default system checks.

Example Usage

The following example demonstrates how to configure SslClientAuthenticationOptions to establish a secure connection using SslStream.

using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

// Assume 'tcpClient' is an established TcpClient connection
// Assume 'serverIpAddress' and 'serverPort' are defined

public async Task ConnectSecurelyAsync(TcpClient tcpClient, string serverIpAddress, int serverPort)
{
    var options = new SslClientAuthenticationOptions
    {
        TargetHost = serverIpAddress, // Or the actual server hostname
        EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12 | System.Security.Authentication.SslProtocols.Tls13,
        ClientCertificates = new X509CertificateCollection(), // Add client certs if needed
        RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
        {
            // Custom validation logic here.
            // For simplicity, this example allows self-signed certificates for testing,
            // but in production, you should validate the chain and policy errors.
            if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
                return true;

            Console.WriteLine($"Certificate validation failed: {sslPolicyErrors}");
            return false; // Reject if not valid
        }
    };

    var sslStream = new SslStream(tcpClient.GetStream(), false);

    try
    {
        await sslStream.AuthenticateAsClientAsync(options);
        Console.WriteLine("SSL handshake succeeded.");
        // Now you can use sslStream for secure communication
        // await sslStream.WriteAsync(...);
        // var buffer = new byte[1024];
        // int bytesRead = await sslStream.ReadAsync(buffer, 0, buffer.Length);
    }
    catch (Exception ex)
    {
        Console.WriteLine($"SSL authentication failed: {ex.Message}");
    }
    finally
    {
        // Dispose streams and client appropriately
        // sslStream.Dispose();
        // tcpClient.Dispose();
    }
}