SslProtectionLevel Enum
Specifies the degree of protection that SSL/TLS uses to encrypt the data stream. It is used by the SslStream class.
Members
| Member | Description |
|---|---|
| None | No SSL/TLS protection is applied to the data stream. This is generally not recommended for secure communication. |
| Sign | The data stream is protected using digital signatures. This ensures data integrity and authentication but does not provide confidentiality through encryption. |
| EncryptAndSign | The data stream is protected using both encryption and digital signatures. This provides confidentiality, data integrity, and authentication, making it the most secure option. |
Remarks
When you use the SslStream class to establish a secure SSL/TLS connection, you can specify the level of protection using the SslProtectionLevel enum. This enum defines the different levels of security that can be applied to the data transmitted over the secure stream.
None: This is the least secure option, providing no encryption or integrity checks. It should only be used in specific scenarios where security is not a concern or is handled by other mechanisms.Sign: This level ensures that data is not tampered with during transit (integrity) and that the sender can be authenticated. However, the data itself is not encrypted, so it can still be read by unauthorized parties.EncryptAndSign: This is the recommended and most secure option. It provides both confidentiality through encryption (preventing eavesdropping) and integrity/authentication through digital signatures.
The choice of SslProtectionLevel depends on the security requirements of your application. For most internet-facing applications, EncryptAndSign is the appropriate choice.
Important
Using SslProtectionLevel.None or SslProtectionLevel.Sign is generally not recommended for sensitive data due to the lack of confidentiality. Always prioritize SslProtectionLevel.EncryptAndSign when security is critical.
Example
The following example demonstrates how to configure an SslStream to use the EncryptAndSign protection level.
using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
public class SslExample
{
public static void ConfigureSslStream(TcpClient client)
{
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
new LocalCertificateSelectionCallback(SelectClientCertificate)
);
// Configure to use EncryptAndSign
sslStream.AuthenticateAsClient("www.example.com",
null, // Use default client certificate selection
System.Security.Authentication.SslProtocols.Tls12,
true); // Require client authentication
// You can also specify the protection level directly if needed,
// but AuthenticateAsClient implicitly uses EncryptAndSign for secure protocols.
// sslStream.ProtectionLevel = ProtectionLevel.EncryptAndSign; // This is typically handled by AuthenticateAsClient
Console.WriteLine($"SSL/TLS connection established. Protection level: {sslStream.ProtectionLevel}");
// ... use sslStream for secure communication ...
}
public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
Console.WriteLine($"Certificate error: {sslPolicyErrors}");
return false;
}
public static X509Certificate SelectClientCertificate(object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers)
{
// In a real application, you would select an appropriate client certificate here.
// For simplicity, we return null, implying no client certificate is provided.
return null;
}
}