RemoteCertificateChainPolicy
Represents the policy used to validate a certificate trust chain.
Assembly: System.Net.Security.dll
Introduction
The RemoteCertificateChainPolicy class provides a mechanism to define and manage the rules and criteria that are applied when verifying the trust chain of a remote server's certificate. This is a crucial part of establishing secure communication channels, particularly for protocols like TLS/SSL. By customizing the policy, developers can enforce specific security requirements beyond the default trust store validation.
Properties
| Name | Description |
|---|---|
CertificatePolicy |
Gets or sets the certificate policy to use for chain validation. |
RevocationMode |
Gets or sets the revocation mode for certificate validation. |
VerificationFlags |
Gets or sets the flags that control the behavior of the X.509 certificate chain verification. |
Methods
| Name | Description |
|---|---|
Reset() |
Resets the policy to its default values. |
Remarks
When a client connects to a server using a secure protocol (like HTTPS or FTPS), the server presents its digital certificate. This certificate is part of a chain of trust that leads back to a trusted root certificate authority (CA). The RemoteCertificateChainPolicy allows you to specify how this chain should be evaluated.
Key aspects controlled by this policy include:
- Certificate Revocation Checking: You can specify whether to check for certificate revocation (e.g., if a certificate has been revoked by the CA).
- Trust Anchor Configuration: You can define custom trust anchors or alter how existing trust anchors are used.
- Validation Flags: Control specific behaviors like ignoring expiry dates or requiring specific certificate properties.
This class is often used in conjunction with the System.Net.Security.RemoteCertificateValidationCallback delegate, which is invoked during the SSL/TLS handshake to perform custom certificate validation.
RemoteCertificateChainPolicy is vital for security. Incorrectly loosening validation rules can expose your application to man-in-the-middle attacks and other security vulnerabilities. Always understand the implications of the settings you choose.
CertificatePolicy Property
Gets or sets the certificate policy to use for chain validation.
This property typically refers to the default system policy or a custom policy you might define.
RevocationMode Property
Gets or sets the revocation mode for certificate validation.
This property determines how certificate revocation is checked. Common values include:
NoCheck: Revocation is not checked. (Not recommended for production environments.)Online: The system attempts to contact revocation servers.Offline: The system uses cached revocation information.
Example:
using System.Net.Security;
// ...
RemoteCertificateChainPolicy policy = new RemoteCertificateChainPolicy();
policy.RevocationMode = X509RevocationMode.Online;
VerificationFlags Property
Gets or sets the flags that control the behavior of the X.509 certificate chain verification.
These flags allow for fine-grained control over the validation process. For instance, you can use flags to:
NoFlag: No special flags are set.AllowUnknownCertificateAuthority: Allows certificates issued by unknown CAs. (Use with extreme caution.)AllowEndcęertificateInRevocationList: Allows the end-certificate to be in a revocation list....(other flags for specific scenarios)
Example:
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
// ...
RemoteCertificateChainPolicy policy = new RemoteCertificateChainPolicy();
policy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
Reset() Method
Resets the policy to its default values.
This method is useful if you have modified the policy and want to revert to the system's default security settings.
Example:
using System.Net.Security;
// ...
RemoteCertificateChainPolicy policy = new RemoteCertificateChainPolicy();
// Modify policy settings here...
policy.Reset(); // Reverts to default settings