The System.Net.Security.AuthenticationLevel enumeration is used to control the authentication requirements for network connections. It is particularly relevant when working with security protocols like SSL/TLS. Different enumeration values indicate the degree to which the identity of the other party in a communication must be verified.
This enumeration helps developers configure the security posture of their network applications, ensuring appropriate levels of trust are established before sensitive data is exchanged.
| Name | Description | 0
|---|---|
| None | No authentication is required. This is the least secure option. |
| MutualAuthRequested | Mutual authentication is requested but not strictly required. The connection can proceed even if the server does not provide a certificate. |
| MutualAuthRequired | Mutual authentication is required. The connection will fail if the server does not provide a valid certificate that can be successfully validated. |
public enum AuthenticationLevel { None, MutualAuthRequested, MutualAuthRequired }
using System.Net.Security; public class Example { public void ConfigureSecurity(SslStream sslStream) { SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions { EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12, ClientCertificates = null, // Optional client certificate TargetHost = "example.com", CertificateRevocationCheckMode = System.RevocationMode.Online, // Set the authentication level ClientAuthenticationLevel = AuthenticationLevel.MutualAuthRequired }; sslStream.AuthenticateAsClient(null, clientOptions, CancellationToken.None); } }
The AuthenticationLevel enumeration defines the possible levels of authentication for network security. Understanding these levels is crucial for implementing secure communication protocols.
None
When AuthenticationLevel.None is specified, no server authentication is performed. This is generally not recommended for secure applications as it provides no assurance about the identity of the server. It can be used in scenarios where security is not a primary concern or is handled by other means.
MutualAuthRequested
With AuthenticationLevel.MutualAuthRequested, the client requests mutual authentication. This means the client will attempt to present its certificate to the server if available and configured. However, the connection will still be established even if the server does not have a certificate or if the client certificate is not accepted. This provides a degree of identity verification without strictly enforcing it.
MutualAuthRequired
Setting AuthenticationLevel.MutualAuthRequired enforces strict mutual authentication. The client must present a valid certificate, and the server must successfully authenticate the client's certificate. If either party cannot provide a valid, verifiable certificate, the authentication process will fail, and the connection will not be established. This is the most secure option for ensuring the identity of both parties.
SslStream, these settings are passed in the SslClientAuthenticationOptions or SslServerAuthenticationOptions.
The following C# code snippet demonstrates how to configure a client-side SslStream to require mutual authentication.
using System; using System.Net.Security; using System.Net.Sockets; using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Threading.Tasks; public class SslClientExample { public async Task ConnectSecurely(string host, int port) { try { TcpClient client = new TcpClient(host, port); SslStream sslStream = new SslStream(client.GetStream(), false); // Load client certificate (replace with your certificate loading logic) X509Certificate2 clientCertificate = null; // e.g., LoadCertificateFromStore() SslClientAuthenticationOptions authenticationOptions = new SslClientAuthenticationOptions { TargetHost = host, ClientCertificates = clientCertificate == null ? null : new X509CertificateCollection { clientCertificate }, ClientAuthenticationLevel = AuthenticationLevel.MutualAuthRequired, // Enforce mutual authentication EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12, CertificateRevocationCheckMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.Online }; await sslStream.AuthenticateAsClientAsync(authenticationOptions, CancellationToken.None); Console.WriteLine("Authentication successful."); // Proceed with secure communication... // e.g., byte[] buffer = new byte[1024]; await sslStream.ReadAsync(buffer, 0, buffer.Length); sslStream.Close(); client.Close(); } catch (Exception ex) { Console.WriteLine($"Authentication failed: {ex.Message}"); } } }
This example shows a client initiating a connection, creating an SslStream, and then configuring SslClientAuthenticationOptions to set the ClientAuthenticationLevel to MutualAuthRequired. The client certificate is optionally provided.