SslStream AuthenticateAsServer with optional ClientCertificate

Question

Considering the SslStream.AuthenticateAsServer method, the second parameter clientCertificateRequired:

If it is set to true, a client certificate is required. It will throw an exception if not. The client certificate will be available in the property RemoteCertificate.

When set to false, no client certificate is required, the property RemoteCertificate shall always be null. Even if one is provided by the client.

What I like to accomplish is to let the client decide whether it will or will not provide a certificate. But, if they do provide one, I like to know it on the server.

I have tried to first set the variable to true, if this fails, fallback to not require the certificat. However, this result in an "Already Authenticated Exception".

try{
        sslStream.AuthenticateAsServer(x509certificate, true, SslProtocols.Tls, true);
}catch(Exception ex){
        sslStream.AuthenticateAsServer(x509certificate, false, SslProtocols.Tls, true);
}

score 6 · Accepted Answer · answered May 22 '15 at 20:21

I strongly believe this is a documentation flaw.

Actually the parameter clientCertificateRequired will control whether client certificates are not ignored. This means:

clientCertificateRequired = false will ignore any client certificate on the server side. No certificate is checked for existence nor validity.

clientCertificateRequired = true will respect any sent client certificate on the server side. If a client certificate is missing the validation callback is called with SslPolicyErrors.RemoteCertificateNotAvailable which results in the exception you catch, when using the default implementation.

So in your case: Set clientCertificateRequired to true and implement a custom validation callback, like this:

var client = server.AcceptTcpClient()
var networkStream = client.GetStream()

var sslStream = new SslStream(
    networkStream,
    false,
    (sender, certificate, chain, errors) =>
    {
        if (errors == SslPolicyErrors.None)
        {
            return true;
        }

        if (errors == SslPolicyErrors.RemoteCertificateNotAvailable)
        {
            // seems to be okay for you
            return true;
        }

        return false;
    },
    (sender, host, certificates, certificate, issuers) => x509certificate
);

sslStream.AuthenticateAsServer(x509certificate, true, SslProtocols.Tls, true);

Just to add. In TLS/SSL, if the server wants the client to provide a certificate, the server has to ask the client. The client cannot provide a client certificate if the server didn't ask for one. Setting `AuthenticateAsServer(clientCertificateRequired = true)` causes the server to ask for a client certificate. Note also that the server-side `ValidateRemoteCertificate` may be called regardless of the setting of `clientCertificateRequired`, so checking for `SslPolicyErrors.RemoteCertificateNotAvailable` and determining if that is acceptable to your server is the right way to do this. — Trevor, Jan 30 '18 at 12:01

SslStream AuthenticateAsServer with optional ClientCertificate

1 Answers1