MSDN Library

System.Net.Security.SslValidationFlags Enum

This enumeration defines flags that can be used to customize the behavior of SSL/TLS validation for secure network connections.

Namespace:

System.Net.Security

Assembly:

System (in System.dll)

Remarks

The SslValidationFlags enumeration is used to control the rigor of SSL/TLS certificate validation. By default, .NET performs comprehensive validation, including checking the certificate chain, revocation status, and name matching. However, in specific scenarios (e.g., testing or internal networks), you might need to relax some of these validation rules.

It's crucial to understand the security implications before using any flags that bypass standard validation procedures. Overriding default checks can expose your application to man-in-the-middle attacks and other security vulnerabilities.

This enumeration is typically used in conjunction with the System.Net.Security.SslClientAuthenticationOptions.ClientCertificateOptions or related client authentication settings where custom validation logic is required.

Example Usage

The following example demonstrates how to use SslValidationFlags to allow untrusted certificate authorities when establishing a secure connection. Note: This is for demonstration purposes and should not be used in production environments without a thorough understanding of the risks.

using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;

public class SslValidationExample
{
    public static async Task Main(string[] args)
    {
        string host = "example.com"; // Replace with your target host
        int port = 443;

        try
        {
            // Create an SslClientAuthenticationOptions object
            var sslOptions = new SslClientAuthenticationOptions
            {
                ClientCertificates = new X509CertificateCollection(), // If client certs are needed
                TargetHost = host,
                EncryptionPolicy = EncryptionPolicy.RequireEncryption,
                RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
                {
                    // Custom validation logic
                    Console.WriteLine($"Certificate validation for: {host}");
                    Console.WriteLine($"SSL Policy Errors: {sslPolicyErrors}");

                    // Example: Allow untrusted CAs and ignore chain validation
                    if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) ||
                        sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable))
                    {
                        Console.WriteLine("Allowing connection despite chain or availability errors (use with caution).");
                        return true; // Or implement more specific logic based on your needs
                    }

                    // Default validation for other errors
                    return sslPolicyErrors == SslPolicyErrors.None;
                }
            };

            // You would typically use this with HttpClient or SslStream
            // For demonstration, imagine this is used internally by a network library
            // Example using a conceptual SslStream initialization:
            // TcpClient client = new TcpClient(host, port);
            // SslStream sslStream = new SslStream(client.GetStream(), false, sslOptions.RemoteCertificateValidationCallback);
            // await sslStream.AuthenticateAsClientAsync(host, sslOptions.ClientCertificates, sslOptions.EnabledSslProtocols, sslOptions.SslProtocols);

            Console.WriteLine($"SSL validation configured for {host}:{port}.");
            Console.WriteLine("Note: Actual connection and validation would occur here.");

        }
        catch (Exception ex)
        {
            Console.WriteLine($"An error occurred: {ex.Message}");
        }
    }
}