public static TlsHandler Client(string targetHost, bool allowAnyServerCertificate = false) { var tlsSettings = new ClientTlsSettings(targetHost); if (allowAnyServerCertificate) { _ = tlsSettings.AllowAnyServerCertificate(); } return(new(tlsSettings)); }
private static bool ServerCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, ClientTlsSettings clientSettings) { var certificateValidation = clientSettings.ServerCertificateValidation; if (certificateValidation is object) { return(certificateValidation(certificate, chain, sslPolicyErrors)); } var callback = ServicePointManager.ServerCertificateValidationCallback; if (callback is object) { return(callback(sender, certificate, chain, sslPolicyErrors)); } if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (clientSettings.AllowNameMismatchCertificate) { sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateNameMismatch); } if (clientSettings.AllowCertificateChainErrors) { sslPolicyErrors &= (~SslPolicyErrors.RemoteCertificateChainErrors); } if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (!clientSettings.AllowUnstrustedCertificate) { s_logger.Warn(sslPolicyErrors.ToString()); return(false); } // not only a remote certificate error if (sslPolicyErrors != SslPolicyErrors.None && sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors) { s_logger.Warn(sslPolicyErrors.ToString()); return(false); } if (chain is object && chain.ChainStatus is object) { foreach (X509ChainStatus status in chain.ChainStatus) { if ((certificate.Subject == certificate.Issuer) && (status.Status == X509ChainStatusFlags.UntrustedRoot)) { // Self-signed certificates with an untrusted root are valid. continue; } else { if (status.Status != X509ChainStatusFlags.NoError) { s_logger.Warn(sslPolicyErrors.ToString()); // If there are any other errors in the certificate chain, the certificate is invalid, // so the method returns false. return(false); } } } } // When processing reaches this line, the only errors in the certificate chain are // untrusted root errors for self-signed certificates. These certificates are valid // for default Exchange server installations, so return true. return(true); }