示例#1
0
        public static TlsHandler Client(string targetHost, bool allowAnyServerCertificate = false)
        {
            var tlsSettings = new ClientTlsSettings(targetHost);

            if (allowAnyServerCertificate)
            {
                _ = tlsSettings.AllowAnyServerCertificate();
            }
            return(new(tlsSettings));
        }
示例#2
0
        private static bool ServerCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, ClientTlsSettings clientSettings)
        {
            var certificateValidation = clientSettings.ServerCertificateValidation;

            if (certificateValidation is object)
            {
                return(certificateValidation(certificate, chain, sslPolicyErrors));
            }

            var callback = ServicePointManager.ServerCertificateValidationCallback;

            if (callback is object)
            {
                return(callback(sender, certificate, chain, sslPolicyErrors));
            }

            if (sslPolicyErrors == SslPolicyErrors.None)
            {
                return(true);
            }

            if (clientSettings.AllowNameMismatchCertificate)
            {
                sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateNameMismatch);
            }

            if (clientSettings.AllowCertificateChainErrors)
            {
                sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateChainErrors);
            }

            if (sslPolicyErrors == SslPolicyErrors.None)
            {
                return(true);
            }

            if (!clientSettings.AllowUnstrustedCertificate)
            {
                s_logger.Warn(sslPolicyErrors.ToString());
                return(false);
            }

            // not only a remote certificate error
            if (sslPolicyErrors != SslPolicyErrors.None && sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors)
            {
                s_logger.Warn(sslPolicyErrors.ToString());
                return(false);
            }

            if (chain is object && chain.ChainStatus is object)
            {
                foreach (X509ChainStatus status in chain.ChainStatus)
                {
                    if ((certificate.Subject == certificate.Issuer) &&
                        (status.Status == X509ChainStatusFlags.UntrustedRoot))
                    {
                        // Self-signed certificates with an untrusted root are valid.
                        continue;
                    }
                    else
                    {
                        if (status.Status != X509ChainStatusFlags.NoError)
                        {
                            s_logger.Warn(sslPolicyErrors.ToString());
                            // If there are any other errors in the certificate chain, the certificate is invalid,
                            // so the method returns false.
                            return(false);
                        }
                    }
                }
            }

            // When processing reaches this line, the only errors in the certificate chain are
            // untrusted root errors for self-signed certificates. These certificates are valid
            // for default Exchange server installations, so return true.
            return(true);
        }