public static TlsHandler Client(string targetHost, bool allowAnyServerCertificate = false)
{
var tlsSettings = new ClientTlsSettings(targetHost);
if (allowAnyServerCertificate)
{
_ = tlsSettings.AllowAnyServerCertificate();
}
return(new(tlsSettings));
}
private static bool ServerCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, ClientTlsSettings clientSettings)
{
var certificateValidation = clientSettings.ServerCertificateValidation;
if (certificateValidation is object)
{
return(certificateValidation(certificate, chain, sslPolicyErrors));
}
var callback = ServicePointManager.ServerCertificateValidationCallback;
if (callback is object)
{
return(callback(sender, certificate, chain, sslPolicyErrors));
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
if (clientSettings.AllowNameMismatchCertificate)
{
sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateNameMismatch);
}
if (clientSettings.AllowCertificateChainErrors)
{
sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateChainErrors);
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
if (!clientSettings.AllowUnstrustedCertificate)
{
s_logger.Warn(sslPolicyErrors.ToString());
return(false);
}
// not only a remote certificate error
if (sslPolicyErrors != SslPolicyErrors.None && sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors)
{
s_logger.Warn(sslPolicyErrors.ToString());
return(false);
}
if (chain is object && chain.ChainStatus is object)
{
foreach (X509ChainStatus status in chain.ChainStatus)
{
if ((certificate.Subject == certificate.Issuer) &&
(status.Status == X509ChainStatusFlags.UntrustedRoot))
{
// Self-signed certificates with an untrusted root are valid.
continue;
}
else
{
if (status.Status != X509ChainStatusFlags.NoError)
{
s_logger.Warn(sslPolicyErrors.ToString());
// If there are any other errors in the certificate chain, the certificate is invalid,
// so the method returns false.
return(false);
}
}
}
}
// When processing reaches this line, the only errors in the certificate chain are
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
return(true);
}
