Log4net
  1. Log4net
  2. LOG4NET-315

SmtpAppender - Add support for ignoring certificate errors

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 1.2.11
    • Fix Version/s: 1.2.12
    • Component/s: Appenders
    • Labels:
      None

      Description

      As of 1.2.11 the SmtpAppender now has support for enabling smtp connections to use SSL. It is pretty common to have an SMTP server that is using a Self-Signed certificate which will fail the certificate validation. While you can override the certificate error on an application level to overcome this you might want to limit the ignoring of the certificate error just to the appender.

      Proposed Changes

      Add property that allows one to indicate they wish to ignore certificate failures.
      DisableCertificateValidation

      Add a line like this to SendBuffer method

      ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);

      Then create a call back method like so

      private bool ValidateRemoteCertificate(object sender,
      X509Certificate certificate,
      X509Chain chain,
      SslPolicyErrors policyErrors)

      { if(DisableCertificateValidation) return true; return policyErrors == null; }

        Activity

        Jim Scott created issue -
        Stefan Bodewig made changes -
        Field Original Value New Value
        Fix Version/s 1.2.12 [ 12318546 ]
        Fix Version/s 1.2 Maintenance Release [ 12317606 ]
        Hide
        Jim Scott added a comment -

        I did some testing today and my above suggestion will not work as I was expecting it to. By setting the callback method on ServicePointManager.ServerCertificateValidationCallback you effectively disable/enable SSL validation for the entire application.

        So given that is the case it would be simpler to override the need for SSL validation in your app.config or web.config

        This also means by previous mentioned approach is invalid. Would still be great if we could figure out a way to disable certificate validation for just the request interested in making.

        Here is how it is done at the application level.

        <system.net>
        <settings>
        <!-- Allows for the SSL Certificate to be self-signed or invalid. -->
        <servicePointManager checkCertificateName="false" />
        </settings>
        </system.net>

        Show
        Jim Scott added a comment - I did some testing today and my above suggestion will not work as I was expecting it to. By setting the callback method on ServicePointManager.ServerCertificateValidationCallback you effectively disable/enable SSL validation for the entire application. So given that is the case it would be simpler to override the need for SSL validation in your app.config or web.config This also means by previous mentioned approach is invalid. Would still be great if we could figure out a way to disable certificate validation for just the request interested in making. Here is how it is done at the application level. <system.net> <settings> <!-- Allows for the SSL Certificate to be self-signed or invalid. --> <servicePointManager checkCertificateName="false" /> </settings> </system.net>
        Hide
        Stefan Bodewig added a comment -

        Can't the server argument of the callback be used to identify the mail server in question and only suppress validation for that?

        Show
        Stefan Bodewig added a comment - Can't the server argument of the callback be used to identify the mail server in question and only suppress validation for that?
        Hide
        Dominik Psenner added a comment -

        That's not so easy. The ServicePointmanager.ServerCertificateValidationCallback is defined as:

        public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors);

        So there is no real way to identify the mail server from the certificate without doing some dark magic. It would actually require user interaction and since user interaction is not feasible for a logging application I agree with Jim Scott that this issue should be addressed with a workaround in the application configuration.

        Show
        Dominik Psenner added a comment - That's not so easy. The ServicePointmanager.ServerCertificateValidationCallback is defined as: public delegate bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors); So there is no real way to identify the mail server from the certificate without doing some dark magic. It would actually require user interaction and since user interaction is not feasible for a logging application I agree with Jim Scott that this issue should be addressed with a workaround in the application configuration.
        Dominik Psenner made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Jim Scott
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 2h
              2h
              Remaining:
              Remaining Estimate - 2h
              2h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development