Custom verification of SSL Certificates
The counterparty certificate validation procedure is controlled by the properties of the SslSettings object, which is a field of the EngineSettings class (to configure inbound connections) or a field of the Session class (to configure outbound connections). The values of the SslSettings properties are passed to the corresponding properties of the X509ChainPolicy object to control how the counterparty certificate is validated.
Custom trusted certificate chain
If it is necessary to verify the certificate of the counterparty without importing the trusted root and intermediate certificates to the system storage, the chain of trusted certificates may be specified using the CaFile property.
For example:
var sslSettings = session.Ssl;
sslSettings.CaFile = "cert1.pem|cert2.pem";
or
sslSettings.CaFile = "cert-chain.pem";
where a single cert-chain.pem file contains a list of certificates. Also, .p12/.pfx (PKSC#12 format) files are supported.
Choosing SSL/TLS protocol version
The version of SSL/TLS protocol(s) may be specified by Protocol property.
For example:
sslSettings.Protocol = SslProtocols.Tls12 | SslProtocols.Tls13;
Note
To ensure .NET Framework applications remain secure, the TLS version should not be hard-coded. .NET Framework applications should use the TLS version the operating system (OS) supports.
Please review Transport Layer Security (TLS) best practices with the .NET Framework.
Other SSL certificate verification options
The following properties serve for fine-tuning the certificate verification procedure:
- RemoteCertificateNameMismatchOption
- RevocationMode (X509RevocationMode)
- RevocationFlag (X509RevocationFlag)
- VerificationFlags (X509VerificationFlags)
Note
Intervention in the certificate validation procedure can compromise the security of your data. Such intervention should take place with a complete understanding of what is happening.
Remote certificate validation callback
To intervene in the validation procedure, you can set RemoteCertificateValidationCallback in the SslSettings object. Inside this callback, you can replace the result of the preliminary validation. In this way, you have the option to accept an invalid certificate or reject a valid one.