mirror/Cleanuparr
1
0
Fork 0
mirror of https://github.com/Cleanuparr/Cleanuparr.git synced 2026-03-04 14:27:52 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa3aebde9ad05b5b14cbec1a37114fdd32a094bf
Cleanuparr/code/Infrastructure/Services/CertificateValidationService.cs
Flaminel 9463d7587f Add support for unstrusted certificates (#128)
2025-05-06 15:42:41 +03:00

86 lines
2.5 KiB
C#
Raw Blame History

using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using Common.Configuration.General;
using Common.Enums;
using Infrastructure.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace Infrastructure.Services;
public class CertificateValidationService
{
private readonly ILogger<CertificateValidationService> _logger;
private readonly HttpConfig _config;
public CertificateValidationService(ILogger<CertificateValidationService> logger, IOptions<HttpConfig> config)
{
_logger = logger;
_config = config.Value;
}
public bool ShouldByPassValidationError(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors)
{
var targetHostName = string.Empty;
if (sender is not SslStream && sender is not string)
{
return true;
}
if (sender is SslStream request)
{
targetHostName = request.TargetHostName;
}
// Mailkit passes host in sender as string
if (sender is string stringHost)
{
targetHostName = stringHost;
}
if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
{
_logger.LogError(
$"https://{targetHostName} uses the obsolete md5 hash in its https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.");
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
if (targetHostName is "localhost" or "127.0.0.1")
{
return true;
}
var ipAddresses = GetIpAddresses(targetHostName);
if (_config.CertificateValidation == CertificateValidationType.Disabled)
{
return true;
}
if (_config.CertificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
ipAddresses.All(i => i.IsLocalAddress()))
{
return true;
}
_logger.LogError($"certificate validation for {targetHostName} failed. {sslPolicyErrors}");
return false;
}
private static IPAddress[] GetIpAddresses(string host)
{
if (IPAddress.TryParse(host, out var ipAddress))
{
return [ipAddress];
}
return Dns.GetHostEntry(host).AddressList;
}
}
Reference in New Issue View Git Blame Copy Permalink