Represents the method that is called when a certificate is being validated.
public delegate bool CertificateValidateCallback(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors
);
object sender
The object that initiated the callback.
X509Certificate certificate
The certificate to be validated.
X509Chain chain
The chain of certificates used to authenticate the remote party.
SslPolicyErrors sslPolicyErrors
One or more errors associated with the validation policy.
bool
true to allow the connection; otherwise, false.
The CertificateValidateCallback delegate is used to customize certificate validation for SslStream and other classes that establish secure connections. When a remote certificate needs to be validated, the SslStream calls the method referenced by this delegate.
You can use this delegate to implement custom validation logic, such as checking for specific certificate properties, validating against a custom trust store, or ignoring certain SslPolicyErrors.
Security Note: You should exercise extreme caution when implementing custom certificate validation logic. Improper validation can expose your application to security risks such as man-in-the-middle attacks. Always validate that the certificate is trusted, has not expired, and matches the intended server.
To use a custom validation callback, you typically assign your method to the RemoteCertificateValidationCallback property of an SslClientAuthenticationOptions object or a similar configuration object before establishing the SSL/TLS connection.
The following example demonstrates how to create a custom certificate validation callback that allows connections even if there are SslPolicyErrors, but logs the errors. This is generally not recommended for production environments.
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class MyValidator
{
public static bool MyRemoteCertificateValidationCallback(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Certificate Validation Callback:");
Console.WriteLine($" Sender: {sender}");
Console.WriteLine($" Certificate: {certificate?.Subject ?? "N/A"}");
Console.WriteLine($" Chain Status: {chain?.ChainStatus.Length ?? 0} issues");
Console.WriteLine($" SSL Policy Errors: {sslPolicyErrors}");
// In a real-world scenario, you would perform more robust validation here.
// For this example, we will allow the connection if there are only
// specific known acceptable errors, or no errors.
// For demonstration purposes, we'll return true to allow the connection.
// NEVER do this in production without thorough validation.
if (sslPolicyErrors == SslPolicyErrors.None)
{
Console.WriteLine(" Validation successful (no errors).");
return true;
}
// Example: If you want to ignore a specific error type for testing
// if (sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch)
// {
// Console.WriteLine(" Ignoring RemoteCertificateNameMismatch error.");
// return true;
// }
Console.WriteLine(" Validation failed. Allowing connection for demonstration.");
return true; // Returning true for demonstration. Handle with care.
}
// How to use it (simplified example, not a full connection setup)
public void SetupClient()
{
// Assuming you have an SslClientAuthenticationOptions object
// SslClientAuthenticationOptions options = new SslClientAuthenticationOptions();
// options.RemoteCertificateValidationCallback = MyRemoteCertificateValidationCallback;
// ... proceed with connection ...
}
}