private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { TlsClient remotingClient; IPEndPoint remoteEndPoint; IPHostEntry localhost; SimplePolicyChecker policyChecker; remotingClient = m_remotingClient as TlsClient; if ((object)remotingClient != null) { remoteEndPoint = remotingClient.Client.RemoteEndPoint as IPEndPoint; if ((object)remoteEndPoint != null) { // Create an exception and do not check policy for localhost localhost = Dns.GetHostEntry("localhost"); if (localhost.AddressList.Any(address => address.Equals(remoteEndPoint.Address))) return true; } // Not connected to localhost, so use the policy checker policyChecker = new SimplePolicyChecker(); policyChecker.ValidPolicyErrors = remotingClient.ValidPolicyErrors; policyChecker.ValidChainFlags = remotingClient.ValidChainFlags; return policyChecker.ValidateRemoteCertificate(sender, certificate, chain, sslPolicyErrors); } return false; }
private TlsClient InitializeTlsClient(string connectionString) { Dictionary<string, string> settings; string setting; SimplePolicyChecker certificateChecker; TlsClient remotingClient; SslProtocols enabledSslProtocols; SslPolicyErrors validPolicyErrors; X509ChainStatusFlags validChainFlags; // Initialize remoting client socket. certificateChecker = new SimplePolicyChecker(); remotingClient = new TlsClient(); remotingClient.ConnectionString = connectionString; remotingClient.PayloadAware = true; remotingClient.IgnoreInvalidCredentials = true; remotingClient.MaxConnectionAttempts = -1; remotingClient.RemoteCertificateValidationCallback = RemoteCertificateValidationCallback; remotingClient.CertificateChecker = certificateChecker; // Parse connection string into key-value pairs settings = connectionString.ParseKeyValuePairs(); // See if user wants to connect to remote service using integrated security if (settings.TryGetValue("integratedSecurity", out setting) && !string.IsNullOrWhiteSpace(setting)) remotingClient.IntegratedSecurity = setting.ParseBoolean(); // See if the user has explicitly defined the set of enabled SslProtocols try { if (settings.TryGetValue("enabledSslProtocols", out setting) && Enum.TryParse(setting, true, out enabledSslProtocols)) remotingClient.EnabledSslProtocols = enabledSslProtocols; else remotingClient.EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls12; } catch (SecurityException) { // Security exception can occur when user forces use of older TLS protocol through configuration but event log warning entry cannot be written } // See if the user has explicitly defined valid policy errors or valid chain flags if (settings.TryGetValue("validPolicyErrors", out setting) && Enum.TryParse(setting, true, out validPolicyErrors)) certificateChecker.ValidPolicyErrors = validPolicyErrors; else certificateChecker.ValidPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors; if (settings.TryGetValue("validChainFlags", out setting) && Enum.TryParse(setting, true, out validChainFlags)) certificateChecker.ValidChainFlags = validChainFlags; else certificateChecker.ValidChainFlags = X509ChainStatusFlags.UntrustedRoot; // See if the user has explicitly defined whether to execute revocation checks on server certificates if (settings.TryGetValue("checkCertificateRevocation", out setting) && !string.IsNullOrWhiteSpace(setting)) remotingClient.CheckCertificateRevocation = setting.ParseBoolean(); return remotingClient; }