9

My program uses SHA-1 certificate for SSL connection. The SHA-2 certificate has been widely used now by some web services (Gmail) instead. This causes blocking incoming connection to SMTP servers during email notification setup.

To send email I use SmtpClient like this

using (var smtpClient = new SmtpClient(serverSettings.SmtpServerName, (int)serverSettings.SmtpPort))
{
     smtpClient.EnableSsl = serverSettings.SmtpUseSsl;
     smtpClient.UseDefaultCredentials = false; 

     if (!string.IsNullOrEmpty(serverSettings.UserName) || !string.IsNullOrEmpty(serverSettings.EncryptedPassword))
     {
          smtpClient.Credentials = new NetworkCredential(serverSettings.UserName, serverSettings.EncryptedPassword);
     }
                ...
      smtpClient.Send(message);
}

I can't send an email by using this code and I don't want to allow "less secure apps" in my gmail account.

How to implement or switch to SHA-2 certificate for email notifications?

Anatoly
  • 1,908
  • 4
  • 25
  • 47
  • I think you need to update the sha on the server you are hosting your code on. Recently amazon also upgraded from sha-1 to sha-256. I checked amazon's documentation but i am afraid they don't have a sample code to do that for c# for testing if your application/server supports sha-256 or not. May be you can contact the server authorities. – razorranjan Sep 14 '15 at 05:48

2 Answers2

9

SHA-1 vs. SHA-2 is completely unrelated to the problem you have. "Less secure apps" are considered for google the application which don't use OAuth 2.0 for authentication (which would allow for 2-factor authentication) but instead only a simple password. See New Security Measures Will Affect Older (non-OAuth 2.0) Applications for more information.

For using OAuth 2.0 with C# see SMTP and OAuth 2

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Excellent answer. I would add that the only reason "less secure apps" are less secure is because you are providing the app with your password. The actual authentication and password transmission is still secure. Therefore, turning on "less secure apps" in gmail does not in itself open you to attack unless you provide your username and password to the attacker. – DWCP Sep 12 '15 at 00:01
3

Although, SHA1 is more resistant than MD5 to collision attacks, but it is getting weaker each year. Therefore, google encourages to migrate away from SHA-1 to SHA-2/SHA-3.

I think you should first acquire a SHA-2 certificate, and then use the following sample code to set it for SMTPClient:

string certificate = "Certificate.cer";

X509Certificate cert = new X509Certificate2(certificate);

MailMessage message = new MailMessage(from, to);

SmtpClient client = new SmtpClient(server);

client.ClientCertificates.Add(cert);

client.Send(message);

And also notice MSDN SmtpClient.ClientCertificates remarks:

The Framework caches SSL sessions as they are created and attempts to reuse a cached session for a new request, if possible. When attempting to reuse an SSL session, the Framework uses the first element of ClientCertificates (if there is one), or tries to reuse an anonymous sessions if ClientCertificates is empty.

Hamed
  • 1,175
  • 3
  • 20
  • 46