System.Net.Security.SslValidationTypeResult

Overview

Represents the result of an SSL validation operation. This enumeration is used to indicate whether an SSL certificate is valid or why it failed validation.

When establishing a secure connection using SSL/TLS, the client typically validates the server's certificate. The validation process involves checking the certificate's authenticity, trust chain, expiration date, and other criteria. The SslValidationTypeResult enumeration provides a structured way to report the outcome of these checks.

Syntax

public enum SslValidationTypeResult

Members

Success: The SSL certificate validation was successful.
Untrusted: The SSL certificate is not trusted by the local machine's trusted root certificate authorities.
Expired: The SSL certificate has expired.
InvalidHostName: The SSL certificate's host name does not match the host name of the server.
InvalidSignature: The SSL certificate's signature is invalid.
Revoked: The SSL certificate has been revoked by the issuing Certificate Authority (CA).
Other: An unspecified validation error occurred.

Remarks

This enumeration is often used in conjunction with the System.Net.Security.RemoteCertificateValidationCallback delegate. This callback allows developers to provide custom logic for validating server certificates, going beyond the default system checks. For example, you might use it to validate against a specific set of trusted certificates or to implement domain-specific validation rules.

When implementing a custom validation callback, you will receive an X509Certificate object representing the server's certificate and the validation results. Your callback should return true if the certificate is acceptable and false otherwise. The SslValidationTypeResult members help in determining the appropriate return value based on the validation outcome.

Example

The following example demonstrates how to use a custom RemoteCertificateValidationCallback to inspect the validation result.

using System; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; public class SslExample { public static void Main() { // Configure the ServicePointManager to use a custom certificate validation callback ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertificate; try { // Attempt to connect to a secure URL (e.g., a website with an SSL certificate) System.Net.WebClient client = new System.Net.WebClient(); string result = client.DownloadString("https://www.example.com"); Console.WriteLine("Successfully connected."); } catch (Exception ex) { Console.WriteLine($"An error occurred: {ex.Message}"); } } // Custom certificate validation callback public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { SslValidationTypeResult validationResult = SslValidationTypeResult.Success; if (sslPolicyErrors != SslPolicyErrors.None) { // Determine the specific validation error(s) and map them to SslValidationTypeResult if ((sslPolicyErrors and SslPolicyErrors.RemoteCertificateChainErrors) != SslPolicyErrors.None) { // Check chain errors for specific issues like untrusted root or revocation foreach (X509ChainStatus status in chain.ChainStatus) { switch (status.Status) { case X509ChainStatusFlags.NotTimeValid: case X509ChainStatusFlags.ExpiredSignature: case X509ChainStatusFlags.NotTimeNested: case X509ChainStatusFlags.NotTimeRootValid: validationResult = SslValidationTypeResult.Expired; break; case X509ChainStatusFlags.Revoked: validationResult = SslValidationTypeResult.Revoked; break; case X509ChainStatusFlags.UnknownCA: case X509ChainStatusFlags.UntrustedRoot: validationResult = SslValidationTypeResult.Untrusted; break; case X509ChainStatusFlags.InvalidSignature: validationResult = SslValidationTypeResult.InvalidSignature; break; default: validationResult = SslValidationTypeResult.Other; break; } if (validationResult != SslValidationTypeResult.Success) break; } } if ((sslPolicyErrors and SslPolicyErrors.RemoteCertificateNameMismatch) != SslPolicyErrors.None) { validationResult = SslValidationTypeResult.InvalidHostName; } if ((sslPolicyErrors and SslPolicyErrors.RemoteCertificateNotAvailable) != SslPolicyErrors.None) { validationResult = SslValidationTypeResult.Other; // Or a more specific error if available } Console.WriteLine($"Certificate validation failed: {validationResult}"); } else { Console.WriteLine("Certificate validation succeeded."); } // In a real application, you might return false for certain validationResult values // For this example, we'll accept valid certificates, but log errors. return validationResult == SslValidationTypeResult.Success; } }

Requirements

Namespace: System.Net.Security

Assembly: System.Net.Primitives (in .NET Core, .NET 5+)

Assembly: System (in .NET Framework)

MSDN Library