SSLStream.ValidationCallback Delegate
System.Net.Security
Represents the method that is called to validate the server's certificate when an SSL or TLS connection is established. This delegate is used by the SslStream class.
Syntax
public delegate bool RemoteCertificateValidationCallback(
object sender,
X509Certificate? certificate,
X509Chain? chain,
SslPolicyErrors sslPolicyErrors
);Parameters
- sender: An object that represents the stream instance that is authenticating the server.
- certificate: An X509Certificate object that represents the server's certificate.
- chain: An X509Chain object that represents the certificate chain for the server's certificate.
- sslPolicyErrors: A bitwise combination of the SslPolicyErrors enumeration values that indicate why the server certificate validation failed.
Return Value
Returns true if the server's certificate is valid; otherwise, false.
Remarks
When a client establishes an SSL/TLS connection using SslStream, the client's certificate is validated by default. If the validation fails, the connection is terminated. You can customize this behavior by providing a delegate to the SslStream.ValidationCallback property.
The ValidationCallback delegate is invoked when the SslStream.AuthenticateAsClient method is called and a server certificate is received. The delegate receives the server certificate and other relevant information, and it must return true to indicate that the certificate is acceptable or false otherwise.
Important Considerations
It is crucial to implement certificate validation carefully to ensure the security of your application. Improperly handling certificate validation can expose your application to man-in-the-middle attacks. For most scenarios, it is recommended to use the default validation behavior or to rely on trusted certificate authorities.
Example
The following example demonstrates how to create a custom certificate validation callback that ignores certificate errors for demonstration purposes. Do not use this in production environments.
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class SslExample
{
public static void Main(string[] args)
{
// This is a placeholder for a real client implementation.
// In a real scenario, you would establish a connection and use SslStream.
// Example of a custom validation callback
SslClientAuthenticationOptions options = new SslClientAuthenticationOptions();
options.RemoteCertificateValidationCallback = CustomRemoteCertificateValidationCallback;
Console.WriteLine("Configured custom validation callback.");
}
public static bool CustomRemoteCertificateValidationCallback(
object sender,
X509Certificate? certificate,
X509Chain? chain,
SslPolicyErrors sslPolicyErrors)
{
// In a production scenario, you would inspect certificate and sslPolicyErrors
// to make an informed decision about trusting the server.
// For this example, we'll always return true, which is NOT recommended for production.
if (sslPolicyErrors == SslPolicyErrors.None)
{
// Certificate is valid and trusted.
return true;
}
Console.WriteLine($"Certificate error: {sslPolicyErrors}");
// In a real application, you would likely check the specific errors here.
// For example, you might check if the certificate is expired,
// if the hostname matches, or if it's signed by a trusted CA.
// WARNING: This is a highly insecure practice for production.
// It bypasses all security checks.
return true;
}
}