Add support to CavemanTcpClient for server side validation only (non mutual TLS) #17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ng client certificate. If SSL gets enabled, then an empty X509Certificate2Collection is passed during authenticate as client.
…re and log any ssl policy errors
…nection initialisation.
…ing the authentication phase
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I have been using this library in a number of projects recently and has worked really well, however I needed to make some modifications to handle a TLS use case in a project I was working on. I am submitting these changes for review to see if they fit in the main branch,
All existing constructors needed to load a certificate in some form in order to activate ssl, in my use case I just wanted to perform TLS with server certificate validation only. A new constructor was added to support this.
Also a new validation call back was added to support diagnostics when there are certificate issues encountered, this includes logging out the certificate chain if there is a problem to help debug.
Within the client settings, in addition to an existing AcceptInvalidCertificates setting, I propose an additional CheckCertificateRevocation setting which gets used by the SslStream AuthenticateAsClient method in order to determine if the validation should include a online revocation check. In my use case, I only wanted to validate the certificate but not go online to try check the revocation list (CRL). I believe in the other overloads of the framework AuthenicateAsClient method that this defaults to false anyway if not set.