Skip to content

Add X509ChainPolicy to SslOptions #71191

Closed
@wfurt

Description

@wfurt

Background and motivation

When TLS handshake is completed SslStream does peer certificate validation. This happens always on client and it can happen on server if client cert is provided. This process can for example download additional certificates over network and there is no way how caller can impact the processing. Only after al this is done custom delegate can be called for additional checks. This is inconvenient and it can possibly lead to performance or security issues.

SslStream currently creates X509ChainPolicy behind the curtain to valid peer's certificate.
The proposal is to add existing X509ChainPolicy to SslOptions so callers of SslStream can customize the validation process. If provided, it would be used exclusively and existing properties impacting validation (like CertificateRevocationCheckMode) will be ignored.

related to #59979, #35839, #59944, #40423

API Proposal

namespace System.Net.Security
{

    public class SslServerAuthenticationOptions
    {
        ....
+       X509ChainPolicy? ValidationPolicy;
    }
    public class SslClientAuthenticationOptions
    {
        ....
+       X509ChainPolicy? ValidationPolicy;
    }
}

API Usage

on client

X509ChainPolicy policy = new X509ChainPolicy();
policy.CustomTrustMode = CustomRootTrust;
policy.TrustStore.Add(s_ourPrivateRoot);
policy.UrlRetrievalTimeout = TimeSpan.FromSeconds(3);

SslStreamClientOptions options  = new SslStreamClientOptions();
options.TargetName = "myServer";
options.ValidationPolicy = policy;

var ssl = new SslStream(transportStream); 
ssl.AuthenticateAsClientAsync(options, cancellationToken);

on server preventing downloads:

X509ChainPolicy policy = new X509ChainPolicy();
policy.DisableCertificateDownload = true;
var options = new SslServerAuthenticationOptions();
options. ValidationPolicy = policy;

var ssl = new SslStream(transportStream); 
ssl.AuthenticateAsServerAsync(options, cancellationToken);

Alternative Designs

We could add specific properties to SslOptions and use them when creating similar to CertificateRevocationCheckMode. The problem is duplication as well as maintenance. We may add new options to X509ChainPolicy and it would be immediately available to callers of SslStream. If we keep adding discrete properties we will be always behind.

Risks

Current validation is hidden from callers and pretty simple. Fiddling with X509ChainPolicy is for advanced users and misconfiguring it can have security impact.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions