C# FTPS - Use self signed certificate

Question

I like to download some data safe from a FTP-Server. The data is sensitive. For security i will use FTP over TLS. The self signed certificate will be installed on the client.

Is it enough to hash the certificate from server and compare it with the hash of certificate on client? So i can be shure, that it is the correct certificate. After that i like to check if the certificate is correct.

Here is my function:

 public bool myCertificateValidation(Object sender,
     X509Certificate cert,
     X509Chain chain,
     SslPolicyErrors Errors)
    {
        var pem = System.IO.File.ReadAllText(@"c:\temp\cert.crt");
        byte[] certBuffer = GetBytesFromPEM(pem, "CERTIFICATE");
        var certificate = new X509Certificate2(certBuffer);

        // Check if the server send the exptected certificate
        if (!certificate.GetCertHashString().Equals(cert.GetCertHashString()))
        {
            return false;
        }

        // If the certificate is a valid, signed certificate, return true.
        if (Errors == System.Net.Security.SslPolicyErrors.None)
        {
            return true;
        }

        // If there are errors in the certificate chain, look at each error to determine the cause.
        if ((Errors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
        {
            if (chain != null && chain.ChainStatus != null)
            {
                foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
                {
                    if ((certificate.Subject == certificate.Issuer) &&
                       (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
                    {
                        // Self-signed certificates with an untrusted root are valid. 
                        continue;
                    }
                    else
                    {
                        if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
                        {
                            // If there are any other errors in the certificate chain, the certificate is invalid,
                            // so the method returns false.
                            return false;
                        }
                    }
                }
            }

            // When processing reaches this line, the only errors in the certificate chain are 
            // untrusted root errors for self-signed certificates. These certificates are valid
            // for default Exchange server installations, so return true.
            return true;
        }
        else
        {
            // In all other cases, return false.
            return false;
        }
    }

Are i am barking up the wrong tree?

Why do you `return false` if the certificate matches the one from the file? — Trevor, Feb 26 '18 at 16:34
Sorry this is wrong i forget to negate the if. Is the process ok and safe enough? — lalelu, Feb 26 '18 at 21:35

C# FTPS - Use self signed certificate

0 Answers0