9

I'm attempting to send emails programmatically using SmtpClient.Send. I am currently getting an AuthenticationException when attempting to send the email. This is because of the certificate validation procedure failing.

I know that the certificate is the correct one, but I also understand that it's not secure to trust all certificates much like the suggestions of doing this:

ServicePointManager.ServerCertificateValidationCallback += 
     (sender, certificate, chain, sslPolicyErrors) => { return true; };

So I was wondering if testing the Thumbprint for a known valid certificate thumbprint is secure enough, like so:

ServicePointManager.ServerCertificateValidationCallback +=
     (sender, certificate, chain, sslPolicyErrors) =>
     {
         if (sslPolicyErrors == SslPolicyErrors.None)
             return true;
         else if (certificate.GetCertHashString().Equals("B1248012B10248012B"))
             return true;

         return false;
     };
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
test
  • 2,589
  • 2
  • 24
  • 52

2 Answers2

9

Yes.

The thumbprint is a SHA1 hash of the certificate, and while not absolutely impossible, is extremely difficult to forge.

In technical terms, there are currently no known feasable second-preimage attacks on SHA1.

However, if in any doubt, you may store the whole certificate, perhaps using the fingerprint as a key. Then you can compare the whole certificate against your stored, trusted certificate.

Ben
  • 34,935
  • 6
  • 74
  • 113
2

Thumbprint is not a part of the certificate. In every cert tool you can see this value, but it is computed hash from whole certificate. Usually it is presented as SHA1, but there are no obstacles to compute as SHA256.

Morgan Simonsen wrote about this: https://morgansimonsen.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/

Akodo_Shado
  • 790
  • 7
  • 13