rspec/rules/S4830/csharp/comments-and-links.adoc

=== on 29 Oct 2019, 11:20:05 Alexandre Gigleux wrote:
Reference: \https://khalidabuhakmeh.com/validating-ssl-certificates-with-dotnet-servicepointmanager

=== on 6 Nov 2019, 17:18:01 Pavel Mikula wrote:
Few more occurrances of certificate validation procedure:


https://docs.microsoft.com/en-us/dotnet/api/system.net.httpwebrequest.servercertificatevalidationcallback?view=netframework-4.8


https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.servercertificatecustomvalidationcallback?view=netframework-4.8


https://docs.microsoft.com/en-us/dotnet/api/system.net.websockets.clientwebsocketoptions.remotecertificatevalidationcallback?view=netcore-3.0


https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslclientauthenticationoptions.remotecertificatevalidationcallback?view=netcore-3.0


And as constructor parameter here:


https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.-ctor?view=netframework-4.8

=== on 29 Oct 2020, 16:15:06 Marcos Giurni wrote:
The is an error in the compliant solution. The logical operator must be || instead of &&.


_return errors == SslPolicyErrors.None_

 _{color:#de350b}||{color} validCerts.Contains(certificate.GetCertHashString());_


Thus, the validation callback will return true if there are no errors (errors == SslPolicyErrors.None) OR if, even with an error, the certificate is in the valid list.

=== on 29 Oct 2020, 16:36:19 Pavel Mikula wrote:
\[~mgiurni] There's ``++"trust only some certificates"++`` comment explaining the intention. The validation checks normal errors and from all environment-level trusted certificates it trusts only few selected ones. Probably those that are relevant to given context for extra security.


I think the example is correct and we should not promote trusting expired or invalid certificates.

include::../comments-and-links.adoc[]