private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { TlsClient remotingClient; IPEndPoint remoteEndPoint; IPHostEntry localhost; SimplePolicyChecker policyChecker; remotingClient = m_remotingClient as TlsClient; if ((object)remotingClient != null) { remoteEndPoint = remotingClient.Client.RemoteEndPoint as IPEndPoint; if ((object)remoteEndPoint != null) { // Create an exception and do not check policy for localhost localhost = Dns.GetHostEntry("localhost"); if (localhost.AddressList.Any(address => address.Equals(remoteEndPoint.Address))) { return(true); } } // Not connected to localhost, so use the policy checker policyChecker = new SimplePolicyChecker(); policyChecker.ValidPolicyErrors = remotingClient.ValidPolicyErrors; policyChecker.ValidChainFlags = remotingClient.ValidChainFlags; return(policyChecker.ValidateRemoteCertificate(sender, certificate, chain, sslPolicyErrors)); } return(false); }
private TlsClient InitializeTlsClient(string connectionString) { Dictionary <string, string> settings; string setting; SimplePolicyChecker certificateChecker; TlsClient remotingClient; SslProtocols enabledSslProtocols; SslPolicyErrors validPolicyErrors; X509ChainStatusFlags validChainFlags; // Initialize remoting client socket. certificateChecker = new SimplePolicyChecker(); remotingClient = new TlsClient(); remotingClient.ConnectionString = connectionString; remotingClient.PayloadAware = true; remotingClient.IgnoreInvalidCredentials = true; remotingClient.MaxConnectionAttempts = -1; remotingClient.RemoteCertificateValidationCallback = RemoteCertificateValidationCallback; remotingClient.CertificateChecker = certificateChecker; // Parse connection string into key-value pairs settings = connectionString.ParseKeyValuePairs(); // See if user wants to connect to remote service using integrated security if (settings.TryGetValue("integratedSecurity", out setting) && !string.IsNullOrWhiteSpace(setting)) { remotingClient.IntegratedSecurity = setting.ParseBoolean(); } // See if the user has explicitly defined the set of enabled SslProtocols try { if (settings.TryGetValue("enabledSslProtocols", out setting) && Enum.TryParse(setting, true, out enabledSslProtocols)) { remotingClient.EnabledSslProtocols = enabledSslProtocols; } else { remotingClient.EnabledSslProtocols = SslProtocols.Tls12; } } catch (SecurityException) { // Security exception can occur when user forces use of older TLS protocol through configuration but event log warning entry cannot be written } // See if the user has explicitly defined valid policy errors or valid chain flags if (settings.TryGetValue("validPolicyErrors", out setting) && Enum.TryParse(setting, true, out validPolicyErrors)) { certificateChecker.ValidPolicyErrors = validPolicyErrors; } else { certificateChecker.ValidPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors; } if (settings.TryGetValue("validChainFlags", out setting) && Enum.TryParse(setting, true, out validChainFlags)) { certificateChecker.ValidChainFlags = validChainFlags; } else { certificateChecker.ValidChainFlags = X509ChainStatusFlags.UntrustedRoot; } // See if the user has explicitly defined whether to execute revocation checks on server certificates if (settings.TryGetValue("checkCertificateRevocation", out setting) && !string.IsNullOrWhiteSpace(setting)) { remotingClient.CheckCertificateRevocation = setting.ParseBoolean(); } return(remotingClient); }