From f5698ef1e1c6b11b097beb7d021bfa49b76289db Mon Sep 17 00:00:00 2001
From: xljiulang <366193849@qq.com>
Date: Tue, 20 Jul 2021 00:34:09 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=BF=9C=E7=A8=8B=E8=AF=81?=
 =?UTF-8?q?=E4=B9=A6=E9=AA=8C=E8=AF=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 FastGithub.ReverseProxy/HttpClientHanlder.cs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/FastGithub.ReverseProxy/HttpClientHanlder.cs b/FastGithub.ReverseProxy/HttpClientHanlder.cs
index 2e2c18a..455ac3f 100644
--- a/FastGithub.ReverseProxy/HttpClientHanlder.cs
+++ b/FastGithub.ReverseProxy/HttpClientHanlder.cs
@@ -2,6 +2,7 @@
 using System.Net.Http;
 using System.Net.Security;
 using System.Net.Sockets;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -51,9 +52,15 @@ namespace FastGithub.ReverseProxy
                     await sslStream.AuthenticateAsClientAsync(new SslClientAuthenticationOptions
                     {
                         TargetHost = tlsSniContext.TlsSniPattern.Value,
-                        RemoteCertificateValidationCallback = delegate { return true; }
+                        RemoteCertificateValidationCallback = ValidateServerCertificate
                     }, cancellationToken);
                     return sslStream;
+
+                    // 这里最好需要验证证书的使用者和所有使用者可选名称
+                    static bool ValidateServerCertificate(object sender, X509Certificate? cert, X509Chain? chain, SslPolicyErrors errors)
+                    {
+                        return errors == SslPolicyErrors.None || errors == SslPolicyErrors.RemoteCertificateNameMismatch;
+                    }
                 }
             };
         }