private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
TlsClient remotingClient;
IPEndPoint remoteEndPoint;
IPHostEntry localhost;
SimplePolicyChecker policyChecker;
remotingClient = m_remotingClient as TlsClient;
if ((object)remotingClient != null)
{
remoteEndPoint = remotingClient.Client.RemoteEndPoint as IPEndPoint;
if ((object)remoteEndPoint != null)
{
// Create an exception and do not check policy for localhost
localhost = Dns.GetHostEntry("localhost");
if (localhost.AddressList.Any(address => address.Equals(remoteEndPoint.Address)))
return true;
}
// Not connected to localhost, so use the policy checker
policyChecker = new SimplePolicyChecker();
policyChecker.ValidPolicyErrors = remotingClient.ValidPolicyErrors;
policyChecker.ValidChainFlags = remotingClient.ValidChainFlags;
return policyChecker.ValidateRemoteCertificate(sender, certificate, chain, sslPolicyErrors);
}
return false;
}
private TlsClient InitializeTlsClient(string connectionString)
{
Dictionary<string, string> settings;
string setting;
SimplePolicyChecker certificateChecker;
TlsClient remotingClient;
SslProtocols enabledSslProtocols;
SslPolicyErrors validPolicyErrors;
X509ChainStatusFlags validChainFlags;
// Initialize remoting client socket.
certificateChecker = new SimplePolicyChecker();
remotingClient = new TlsClient();
remotingClient.ConnectionString = connectionString;
remotingClient.PayloadAware = true;
remotingClient.IgnoreInvalidCredentials = true;
remotingClient.MaxConnectionAttempts = -1;
remotingClient.RemoteCertificateValidationCallback = RemoteCertificateValidationCallback;
remotingClient.CertificateChecker = certificateChecker;
// Parse connection string into key-value pairs
settings = connectionString.ParseKeyValuePairs();
// See if user wants to connect to remote service using integrated security
if (settings.TryGetValue("integratedSecurity", out setting) && !string.IsNullOrWhiteSpace(setting))
remotingClient.IntegratedSecurity = setting.ParseBoolean();
// See if the user has explicitly defined the set of enabled SslProtocols
try
{
if (settings.TryGetValue("enabledSslProtocols", out setting) && Enum.TryParse(setting, true, out enabledSslProtocols))
remotingClient.EnabledSslProtocols = enabledSslProtocols;
else
remotingClient.EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls12;
}
catch (SecurityException)
{
// Security exception can occur when user forces use of older TLS protocol through configuration but event log warning entry cannot be written
}
// See if the user has explicitly defined valid policy errors or valid chain flags
if (settings.TryGetValue("validPolicyErrors", out setting) && Enum.TryParse(setting, true, out validPolicyErrors))
certificateChecker.ValidPolicyErrors = validPolicyErrors;
else
certificateChecker.ValidPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors;
if (settings.TryGetValue("validChainFlags", out setting) && Enum.TryParse(setting, true, out validChainFlags))
certificateChecker.ValidChainFlags = validChainFlags;
else
certificateChecker.ValidChainFlags = X509ChainStatusFlags.UntrustedRoot;
// See if the user has explicitly defined whether to execute revocation checks on server certificates
if (settings.TryGetValue("checkCertificateRevocation", out setting) && !string.IsNullOrWhiteSpace(setting))
remotingClient.CheckCertificateRevocation = setting.ParseBoolean();
return remotingClient;
}
