Namespace: System.Net.Security
Specifies the options for server-side SSL/TLS authentication.
This class provides a comprehensive set of configurations for securing server-side network connections using SSL/TLS. It allows developers to define certificate validation rules, choose authentication protocols, and customize other security-related aspects of the server's identity and trust.
public sealed class SslServerAuthenticationOptions
This class has no public fields.
public Func<System.Security.Cryptography.X509Certificates.X509Certificate2Collection, System.Security.Cryptography.X509Certificates.X509Certificate2Collection, System.Security.Cryptography.X509Certificates.X509Certificate2Collection> CertificateSelectionCallback { get; set; }
Gets or sets a callback that is invoked to select the certificate to be used for server authentication.
public System.Security.Cryptography.X509Certificates.X509CertificateSelectionMode ClientCertificateOptions { get; set; }
Gets or sets a value that indicates whether the server requests a client certificate.
public System.Net.Security.EncryptionPolicy EncryptionPolicy { get; set; }
Gets or sets the encryption policy for the server connection.
public System.Net.Security.RemoteCertificateValidationCallback RemoteCertificateValidationCallback { get; set; }
Gets or sets a callback that is invoked to validate the server's certificate.
public System.Security.Cryptography.X509Certificates.X509Certificate2 ServerCertificate { get; set; }
Gets or sets the X.509 certificate used for server authentication.
The SslServerAuthenticationOptions class is fundamental for configuring secure server endpoints. By providing a ServerCertificate, you establish the identity of the server. The RemoteCertificateValidationCallback is crucial for verifying the authenticity and trustworthiness of client certificates (if requested) or for any other server-side certificate validation needs.
The CertificateSelectionCallback offers finer control over which certificate is presented to the client when multiple certificates are available on the server. The ClientCertificateOptions determine if and how the server will request a certificate from the client during the TLS handshake.
EncryptionPolicy allows you to enforce specific encryption levels and cipher suites, enhancing the security posture of your server.
The following example demonstrates how to configure SslServerAuthenticationOptions for a simple TLS server.
using System;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;
public class SslServerExample
{
public static async Task RunServerAsync(int port)
{
var listener = new TcpListener(IPAddress.Any, port);
listener.Start();
Console.WriteLine($"Server started on port {port}");
// Load your server certificate
var serverCertificate = new X509Certificate2("path/to/your/server.pfx", "your_password");
while (true)
{
TcpClient client = await listener.AcceptTcpClientAsync();
_ = Task.Run(() => HandleClientAsync(client, serverCertificate));
}
}
private static async Task HandleClientAsync(TcpClient tcpClient, X509Certificate2 serverCertificate)
{
using (var sslStream = new SslStream(tcpClient.GetStream(), false))
{
try
{
var authOptions = new SslServerAuthenticationOptions
{
ServerCertificate = serverCertificate,
ClientCertificateOptions = CertificateSelectionMode.RequireCertificate, // Or NegotiateClientCertificate, AllowAnyClientCertificate
RemoteCertificateValidationCallback = ValidateClientCertificate // Custom validation logic
};
await sslStream.AuthenticateAsServerAsync(authOptions);
Console.WriteLine("Client authenticated.");
// Example: Read data from client
var buffer = new byte[1024];
int bytesRead = await sslStream.ReadAsync(buffer, 0, buffer.Length);
string message = Encoding.UTF8.GetString(buffer, 0, bytesRead);
Console.WriteLine($"Received from client: {message}");
// Example: Send data back to client
byte[] responseBytes = Encoding.UTF8.GetBytes("Hello from server!");
await sslStream.WriteAsync(responseBytes, 0, responseBytes.Length);
await sslStream.FlushAsync();
Console.WriteLine("Response sent to client.");
}
catch (Exception ex)
{
Console.WriteLine($"Error during SSL/TLS authentication or communication: {ex.Message}");
}
finally
{
tcpClient.Close();
}
}
}
// Custom client certificate validation logic
private static bool ValidateClientCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Certificate is valid and trusted.
return true;
}
// Do not allow this client.
Console.WriteLine($"Certificate error: {sslPolicyErrors}");
return false;
}
public static async Task Main(string[] args)
{
await RunServerAsync(8080); // Use a secure port, e.g., 443
}
}
Supported in: 4.7 and later
Supported in: 2.1 and later
Supported in: 2.1 and later