ValidationContextFlags Enumeration

Namespace: System.Net.Security

Summary

Specifies flags that indicate the context in which a certificate validation callback is invoked.

This enumeration is used by the SslStream.SetSSLProtocol method and the System.Net.Security.SslStream constructor. It provides additional context to the callback function, allowing it to determine the specific conditions under which the certificate validation is occurring.

Members

The ValidationContextFlags enumeration defines the following members:

enum ValidationContextFlags

Flags

The following flags can be used to specify the context:

  • ClientAuth: Indicates that the validation callback is invoked as part of client authentication.
  • ServerAuth: Indicates that the validation callback is invoked as part of server authentication.
  • AutoSelected: Indicates that the SSL protocol was automatically selected by the system.
  • NonSecure: Indicates that the SSL/TLS connection is not being established with security. This flag is typically used in specific testing or debugging scenarios.

Remarks

When a certificate validation callback is invoked, the ValidationContextFlags parameter provides crucial information about the context. For example, if the callback is executed during an SSL/TLS handshake initiated by a client, the ClientAuth flag will be set. Similarly, if the handshake is initiated by a server, the ServerAuth flag will be set.

The ability to distinguish between client and server authentication contexts is important for implementing appropriate validation logic. For instance, a server might have different trust requirements for client certificates compared to its own server certificate.

Example

The following example demonstrates how to use ValidationContextFlags within a certificate validation callback.


using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public class CertificateValidator
{
    public static bool RemoteCertificateValidationCallback(
        object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors,
        ValidationContextFlags validationContext)
    {
        Console.WriteLine($"Certificate validation context: {validationContext}");

        if (sslPolicyErrors != SslPolicyErrors.None)
        {
            Console.WriteLine($"SSL Policy Errors: {sslPolicyErrors}");
            // Handle policy errors appropriately
            return false; 
        }

        if (validationContext.HasFlag(ValidationContextFlags.ServerAuth))
        {
            Console.WriteLine("Validating server certificate.");
            // Implement server certificate validation logic here
            // e.g., check certificate issuer, expiry, hostname match
            return true; // Assuming valid for this example
        }
        else if (validationContext.HasFlag(ValidationContextFlags.ClientAuth))
        {
            Console.WriteLine("Validating client certificate.");
            // Implement client certificate validation logic here
            return true; // Assuming valid for this example
        }
        else
        {
            Console.WriteLine("Unknown validation context.");
            return false;
        }
    }

    // Example usage within SslStream
    public static void UseSslStream()
    {
        // ... setup SslStream ...
        // SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidationCallback);
        // ...
    }
}

Requirements

Namespace: System.Net.Security
Assembly: System.Net.Primitives (in .NET Core) or System (in .NET Framework)