Class CertificateValidations

Namespace

Elasticsearch.Net

Assembly

Elasticsearch.Net.dll

A collection of handy baked in server certificate validation callbacks

public static class CertificateValidations

Inheritance

object

CertificateValidations

Inherited Members

object.GetType()

object.MemberwiseClone()

object.ToString()

object.Equals(object)

object.Equals(object, object)

object.ReferenceEquals(object, object)

object.GetHashCode()

Methods

AllowAll(object, X509Certificate, X509Chain, SslPolicyErrors)

DANGEROUS, never use this in production validates ALL certificates to true.

public static bool AllowAll(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)

Parameters

sender object

certificate X509Certificate

chain X509Chain

errors SslPolicyErrors

Returns

bool

Always true, allowing ALL certificates

AuthorityIsRoot(X509Certificate, bool, X509RevocationMode)

Helper to create a certificate validation callback based on the certificate authority certificate that we used to generate the nodes certificates with. This callback does NOT expect the CA to be part of the chain presented by the server. Including the root certificate in the chain increases the SSL handshake size and Elasticsearch's certgen by default does not include the CA in the certificate chain.

public static Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool> AuthorityIsRoot(X509Certificate caCertificate, bool trustRoot = true, X509RevocationMode revocationMode = X509RevocationMode.NoCheck)

Parameters

caCertificate X509Certificate

The ca certificate used to generate the nodes certificate

trustRoot bool

Custom CA are never trusted by default unless they are in the machines trusted store, set this to true if you've added the CA to the machines trusted store. In which case UntrustedRoot should not be accepted.

revocationMode X509RevocationMode

By default we do not check revocation, it is however recommended to check this (either offline or online).

Returns

Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>

AuthorityPartOfChain(X509Certificate, bool, X509RevocationMode)

Helper to create a certificate validation callback based on the certificate authority certificate that we used to generate the nodes certificates with. This callback expects the CA to be part of the chain as intermediate CA.

public static Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool> AuthorityPartOfChain(X509Certificate caCertificate, bool trustRoot = true, X509RevocationMode revocationMode = X509RevocationMode.NoCheck)

Parameters

caCertificate X509Certificate

The ca certificate used to generate the nodes certificate

trustRoot bool

Custom CA are never trusted by default unless they are in the machines trusted store, set this to true if you've added the CA to the machines trusted store. In which case UntrustedRoot should not be accepted.

revocationMode X509RevocationMode

By default we do not check revocation, it is however recommended to check this (either offline or online).

Returns

Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool>

DenyAll(object, X509Certificate, X509Chain, SslPolicyErrors)

Always false, in effect blocking ALL certificates

public static bool DenyAll(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)

Parameters

sender object

certificate X509Certificate

chain X509Chain

errors SslPolicyErrors

Returns

bool

Always false, always blocking ALL certificates