System.Net.Security.SslValidationTypeFlags Enumeration

Namespace: System.Net.Security

SslValidationTypeFlags Enumeration

Specifies the validation requirements for the server certificate during SSL/TLS authentication.

This enumeration is used in conjunction with the SslStream class to control how the client validates the server's certificate.

Members

  • None: No specific validation is required. The default behavior will be applied.
  • AllowRemoteCertificateErrors: Allows remote certificate errors to be ignored. This is generally not recommended for production environments as it bypasses critical security checks.
  • BypassCertificateValidation: Bypasses all certificate validation. This is highly discouraged and should only be used in development or testing environments where security is not a concern.

Remarks

When establishing an SSL/TLS connection using SslStream, it is crucial to properly validate the server's certificate to ensure that you are communicating with the intended server and not an imposter.

The SslValidationTypeFlags enumeration provides granular control over the certificate validation process. By default, certificate validation is performed according to standard SSL/TLS protocols. However, in certain scenarios, you might need to adjust these settings. For instance, in development or testing environments where you might be using self-signed certificates, you might choose to bypass validation. It is strongly advised to use the None flag in production environments to ensure robust security.

The AllowRemoteCertificateErrors flag should be used with extreme caution, as it can expose your application to man-in-the-middle attacks. The BypassCertificateValidation flag should almost never be used in production code.

Syntax

public enum SslValidationTypeFlags
{
    None = 0,
    AllowRemoteCertificateErrors = 1,
    BypassCertificateValidation = 2
}

Example

// Example of using SslValidationTypeFlags with SslStream
using System.Net.Security;
using System.Net.Sockets;
using System.IO;
using System.Text;

public class SslClientExample
{
    public static void ConnectWithCustomValidation(string host, int port)
    {
        TcpClient client = new TcpClient(host, port);
        SslStream sslStream = new SslStream(client.GetStream(),
            new SslClientAuthenticationOptions
            {
                TargetHost = host,
                EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12 | System.Security.Authentication.SslProtocols.Tls13,
                RemoteCertificateValidationCallback = delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
                                         System.Security.Cryptography.X509Certificates.X509Chain chain, SslPolicyErrors sslPolicyErrors)
                    {
                    // For demonstration purposes: Allow if there are any certificate errors.
                    if (sslPolicyErrors != SslPolicyErrors.None)
                    {
                        // In a real application, you'd want to log these errors and potentially handle them more gracefully.
                        return true;
                    }
                    return true;
                }
        });
        
        sslStream.AuthenticateAsClient();
        // ... proceed with sending/receiving data ...
        client.Close();
    }
}

See Also