System.Net.Security.SslPolicyError Enumeration

Namespace: System.Net.Security

Applies to: .NET Framework, .NET Core, .NET 5+

Indicates the reason for an SSL policy error.

Summary

The SslPolicyError enumeration is used by the ICertificatePolicy.CheckCertficateRevocation method to specify the reason for an SSL policy error.

Members

Member Description
None No SSL policy error occurred.
RemoteCertificateChainErrors The remote certificate chain is invalid. This can be due to an untrusted root authority, expired certificate, or other chain validation issues.
RemoteCertificateNameMismatch The remote certificate's host name does not match the name of the server the client is attempting to connect to.
RemoteCertificateNotAvailable The remote certificate is not available. This could happen if the server did not send a certificate or if it was corrupted.

Remarks

When establishing an SSL/TLS connection, the client often needs to validate the server's certificate. The SslPolicyError enumeration provides specific codes to inform the application about potential issues encountered during this validation process. Developers can use these errors to implement custom certificate validation logic or to log detailed information about connection failures.

Usage Example

C# Example


using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public class CertificateValidator : ICertificatePolicy
{
    public bool CheckCertificateRevocation(string certificate, X509Certificate2Collection additionalCertificates)
    {
        // In a real-world scenario, you would implement robust certificate validation here.
        // For demonstration, we'll simply log any errors.
        X509Chain chain = new X509Chain();
        chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
        chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 15);

        bool isValid = chain.Build(new X509Certificate2(certificate));

        if (!isValid)
        {
            Console.WriteLine($"Certificate validation failed for: {certificate}");
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                Console.WriteLine($" - Status: {status.StatusInformation}");
                Console.WriteLine($" - Error Code: {status.Status}");

                // Check for specific SslPolicyErrors
                if (status.Status == X509ChainStatusFlags.Revoked)
                {
                    Console.WriteLine("SSL Policy Error: Remote certificate is revoked.");
                }
                else if (status.Status == X509ChainStatusFlags.UntrustedRoot)
                {
                    Console.WriteLine("SSL Policy Error: Remote certificate has an untrusted root authority.");
                }
                else if (status.Status == X509ChainStatusFlags.OfflineRevocation)
                {
                    Console.WriteLine("SSL Policy Error: Cannot check revocation status online.");
                }
                // Note: Name mismatch and not available are typically handled at a higher level by ServicePointManager.ServerCertValidationCallback
            }
        }
        return isValid;
    }
}

// To use this validator:
// ServicePointManager.CertificatePolicy = new CertificateValidator();
// HttpClient client = new HttpClient();
// var response = await client.GetAsync("https://example.com");

Related Topics

See Also