Overview
The SSLStream class provides a stream that uses the Secure Sockets Layer (SSL) protocol to encrypt and decrypt data transmitted over a network. It implements the System.IO.Stream abstract class and can be used to secure any underlying Stream object such as a NetworkStream.
Syntax
public sealed class SSLStream : Stream
{
public SSLStream(Stream innerStream);
public SSLStream(Stream innerStream, bool leaveInnerStreamOpen);
public SSLStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback);
public SSLStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback);
// ... members
}Properties
bool IsAuthenticated { get; }– Indicates if the SSL authentication succeeded.bool IsEncrypted { get; }– True when data is encrypted.bool IsSigned { get; }– True when data is signed.bool IsServer { get; }– True if the stream was authenticated as a server.bool CheckCertRevocationStatus { get; set; }– Enable or disable certificate revocation checking.SslProtocols SslProtocol { get; }– The SSL/TLS protocol version in use.X509Certificate RemoteCertificate { get; }– The remote party's certificate.int ReadTimeout { get; set; }int WriteTimeout { get; set; }
Methods
Authentication
I/O
Miscellaneous
public override void AuthenticateAsClient(string targetHost);
public void AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation);
public override Task AuthenticateAsClientAsync(string targetHost);
public void AuthenticateAsServer(X509Certificate serverCertificate);
public Task AuthenticateAsServerAsync(X509Certificate serverCertificate);
public override int Read(byte[] buffer, int offset, int count);
public override Task<int> ReadAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken);
public override void Write(byte[] buffer, int offset, int count);
public override Task WriteAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken);
public override void Flush();
public override bool CanRead { get; }
public override bool CanWrite { get; }
public override bool CanSeek { get; }
public override long Length { get; }
public override long Position { get; set; }
public override long Seek(long offset, SeekOrigin origin);
public override void SetLength(long value);
Events
The SSLStream class does not expose its own events. Errors are reported via exceptions or returned Task objects.
Examples
Below is a simple client implementation that connects to a server over SSL.
using System;
using System.Net.Sockets;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Text;
class SslClient
{
static void Main()
{
const string server = "example.com";
const int port = 443;
using var client = new TcpClient(server, port);
using var ssl = new SSLStream(client.GetStream(), false, ValidateServerCertificate, null);
ssl.AuthenticateAsClient(server);
string request = "GET / HTTP/1.1\r\nHost: " + server + "\r\nConnection: close\r\n\r\n";
byte[] reqBytes = Encoding.ASCII.GetBytes(request);
ssl.Write(reqBytes);
ssl.Flush();
var buffer = new byte[4096];
int bytes;
while ((bytes = ssl.Read(buffer, 0, buffer.Length)) > 0)
{
Console.Write(Encoding.ASCII.GetString(buffer, 0, bytes));
}
}
static bool ValidateServerCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return sslPolicyErrors == SslPolicyErrors.None;
}
}
Remarks
- Always validate the server certificate to prevent man‑in‑the‑middle attacks.
- When using
AuthenticateAsServer, you must provide a valid X509 certificate. - Consider using
SslProtocols.Tls13when both client and server support it. - Set
CheckCertRevocationStatustotruefor enhanced security.