I am trying to implement SSL handshake for my HTTPListener. I use a netsh command to set the certificate to be used for SSL so that the client can verify the server. Everything is working fine, I just have one question. When I do -
HttpListenerRequest.GetClientCertificate()
Does this validate that the client really is who it says it is? Does this verify the private key of the client certificate against the public key before receiving the certificate?
It does validate the certificate, because it creates a call to the X509Certificate2 constructor, but validation may not mean what you think it means. The constructor returns a cryptographic exception if the cert is missing, or if it's invalid, or if the cert password is incorrect.
(https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor?view=net-5.0#System_Security_Cryptography_X509Certificates_X509Certificate2__ctor_System_Byte___System_Security_SecureString_) Does this prove the client is who he says he is? That's a more nuanced question. If you're looking for a specific person or group you can store thumbprints from acceptable clients in a database, and proceed favorably only if you get a match.