Handling SSL\TLS Errors

The .NET Framework (including .NET Core/Standard) provide the ability to perform custom validation of certificate chains during a SSL/TLS handshake. This is exposed via the ServicePointManager.ServerCertificateValidationCallback global handler.

The first thing you need to know about the ServicePointManager.ServerCertificateValidationCallback handler is that it is a global solution to a local problem.

The second thing you need to know about this callback is that it's a plain delegate, not an event, and is typically appended. When appended, the results of the last function called in the chain will be applied. When assigned directly, you hijack this global for exclusive use, and any later appending operations to the handler will silently fail.

The abstract ProxyServer class internally appends this handler with its own protected virtual callback, which obviously can be overridden. By default, CitadelCore will not permit any certificate errors except for issues contacting CRL (Certificate Revocation List) servers. That is to say, CitadelCore will explicitly pass a failed certificate chain only whenever a certificate chain fails validation exclusively due to an inability to contact the CRL server one or more certificates in the chain.

If you don't like this behavior, or if you'd like to modify how CitadelCore or any variant (platform specific version) handles SSL/TLS issues, you can either append the ServicePointManager.ServerCertificateValidationCallback global delegate, hijack it exclusively within your domain with assignment, or override the virtual function CertificateVerificationHandler in the ProxyServer class and implement your own custom functionality.