Microsoft Docs

Documentation for .NET and Visual Studio

GlobalSSLSettings Class

Namespace: System.Net

Assembly: System (in System.dll)

Syntax

public static class GlobalSSLSettings

Remarks

The GlobalSSLSettings class provides a way to configure global settings for SSL/TLS protocol validation across your .NET application. This allows you to enforce specific security requirements or bypass certain checks, though it's generally recommended to maintain strong security defaults.

Using this class can affect the security of network communications. Exercise caution when modifying these settings and ensure you understand the implications for your application's security posture.

By default, .NET applications use the operating system's certificate store and validation policies. Modifying these global settings bypasses the default behavior and requires careful consideration.

Properties

Name Description
AllowInsecureRenegotiation Gets or sets a Boolean value that indicates whether to allow insecure SSL renegotiation.
Default is false.
DefaultCertificatePolicy Gets or sets the default certificate policy used for SSL/TLS connections. This allows for custom validation logic.
SslEnabled Gets or sets a Boolean value that indicates whether SSL is enabled for network communications.
Note: This property is largely deprecated and its behavior may be inconsistent across different .NET versions.
SystemDefaultTlsProtocols Gets or sets a value that specifies whether to use the system default TLS protocol versions. When set to true, .NET will defer to the operating system's configuration for the highest supported TLS versions. When false, .NET uses its own negotiated TLS protocol versions.

Examples

Disabling SSL Renegotiation (for compatibility scenarios, use with extreme caution)

using System.Net.Security;

// ...

try
{
    GlobalSSLSettings.AllowInsecureRenegotiation = true;
    Console.WriteLine("Insecure SSL renegotiation is now allowed.");
    // Proceed with your SSL/TLS operations
}
catch (Exception ex)
{
    Console.WriteLine($"Error configuring SSL settings: {ex.Message}");
}
finally
{
    // It's good practice to reset to default if possible, or manage scope
    // GlobalSSLSettings.AllowInsecureRenegotiation = false;
}

Using a Custom Certificate Policy

using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

// Define a custom certificate policy
public class MyCustomCertificatePolicy : ICertificatePolicy
{
    public bool ShouldAcceptCertificate(X509Certificate cert, string host)
    {
        // Implement your custom validation logic here.
        // For example, check for specific issuers, expiration, or host name matches.
        Console.WriteLine($"Validating certificate for host: {host}");
        // This is a simplified example that accepts any certificate.
        // In a real-world scenario, you MUST implement proper validation.
        return true;
    }
}

// ...

try
{
    MyCustomCertificatePolicy customPolicy = new MyCustomCertificatePolicy();
    GlobalSSLSettings.DefaultCertificatePolicy = customPolicy;
    Console.WriteLine("Custom certificate policy set.");
    // Network operations using SSL will now use this policy
}
catch (Exception ex)
{
    Console.WriteLine($"Error configuring custom policy: {ex.Message}");
}

Requirements

Namespace: System.Net

Assembly: System (in System.dll)