MSDN Library

Documentation for Microsoft Technologies

System.Net.Security.HostnameComparisonRules Enumeration

Summary

Namespace:
System.Net.Security
Assembly:
System.dll
Inheritance:
Object > ValueType > Enum > HostnameComparisonRules
Attributes:
[SerializableAttribute]
Attributes:
[ComVisibleAttribute(true)]

Specifies the rules for comparing host names when establishing an SSL/TLS connection.

Members

The HostnameComparisonRules enumeration defines the following members:

0xc2
Member Description
StrongComparison Performs a strict, case-insensitive comparison of the host name to the certificate's subject name or subject alternative name. This is the most secure comparison method.
TolerateCertificateChainErrors Performs a comparison that tolerates some certificate chain errors. This is less secure than StrongComparison and should be used with caution.
AllowWildcardAndLocalhost Allows wildcard characters in host names and explicitly permits the use of "localhost". This is the least secure comparison method and should generally be avoided for production environments.

Remarks

When you are validating an SSL/TLS certificate, the host name of the server you are connecting to must be compared against the names listed in the certificate. The HostnameComparisonRules enumeration provides options for how this comparison is performed.

The StrongComparison rule is recommended for most scenarios as it provides the highest level of security by enforcing strict matching. The other rules are provided for backward compatibility or specific scenarios where less strict matching is required, but they increase the risk of man-in-the-middle attacks.

Requirements

Namespace:
System.Net.Security
Platform:
Windows, Linux, macOS
Framework:
.NET Framework 2.0 and later, .NET Core, .NET 5+

See Also

Example Usage

The following code snippet demonstrates how to use HostnameComparisonRules with the SslClientAuthenticationOptions class:


using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

public class SslClientExample
{
    public static async Task ConnectAsync(string host, int port)
    {
        using (var client = new TcpClient())
        {
            await client.ConnectAsync(host, port);

            using (var sslStream = new SslStream(client.GetStream(), false))
            {
                var options = new SslClientAuthenticationOptions
                {
                    TargetHost = host,
                    ClientCertificates = null, // No client certificate needed for this example
                    CertificateRevocationCheckMode = X509RevocationMode.NoCheck, // For simplicity in example
                    EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12 | System.Security.Authentication.SslProtocols.Tls13,
                    HostnameComparisonMode = HostnameComparisonRules.StrongComparison // Using strong comparison
                };

                try
                {
                    await sslStream.AuthenticateAsClientAsync(options);
                    Console.WriteLine("SSL/TLS connection established successfully.");
                    // Proceed with secure communication...
                }
                catch (Exception ex)
                {
                    Console.WriteLine($"Authentication failed: {ex.Message}");
                }
            }
        }
    }

    // Example of how to call the ConnectAsync method
    // public static async Task Main(string[] args)
    // {
    //     await ConnectAsync("www.example.com", 443);
    // }
}