SmtpServer icon indicating copy to clipboard operation
SmtpServer copied to clipboard

Published 20 hours ago verified publisher icon cosullivan

Better validation-callback for self-signed certificate

Open ststeiger opened this issue 3 years ago • 0 comments

Hey, really nice work. I have something for you. A better certificate callback. Instead of just return-true, this actually checks for errors, but allows untrusted root CAs. I would have sent a pull-request, but I have changed other things which you might not want.

namespace SampleApp
{


    public static class CertificateCallback
    {
        

        public static void Initialize()
        {
            System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateValidationCallBack;
        }


        private static bool CertificateValidationCallBack(
             object sender,
             System.Security.Cryptography.X509Certificates.X509Certificate certificate,
             System.Security.Cryptography.X509Certificates.X509Chain chain,
             System.Net.Security.SslPolicyErrors sslPolicyErrors)
        {
            // If the certificate is a valid, signed certificate, return true.
            if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
            {
                return true;
            }

            // If there are errors in the certificate chain, look at each error to determine the cause.
            if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
            {
                if (chain != null && chain.ChainStatus != null)
                {
                    foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
                    {
                        if ((certificate.Subject == certificate.Issuer) &&
                           (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
                        {
                            // Self-signed certificates with an untrusted root are valid. 
                            continue;
                        }
                        else
                        {
                            if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
                            {
                                // If there are any other errors in the certificate chain, the certificate is invalid,
                                // so the method returns false.
                                return false;
                            }
                        }
                    }
                }

                // When processing reaches this line, the only errors in the certificate chain are 
                // untrusted root errors for self-signed certificates. These certificates are valid
                // for default Exchange server installations, so return true.
                return true;
            }
            else
            {
                // In all other cases, return false.
                return false;
            }
        }


    }


}

ststeiger avatar Oct 08 '21 08:10 ststeiger