SslStream Constructor (Stream, Boolean, RemoteCertificateValidationCallback, LocalCertificateSelectionCallback)


The .NET API Reference documentation has a new home. Visit the .NET API Browser on to see the new experience.

Initializes a new instance of the SslStream class using the specified Stream, stream closure behavior, certificate validation delegate and certificate selection delegate.

Namespace:   System.Net.Security
Assembly:  System (in System.dll)

public SslStream(
	Stream innerStream,
	bool leaveInnerStreamOpen,
	RemoteCertificateValidationCallback userCertificateValidationCallback,
	LocalCertificateSelectionCallback userCertificateSelectionCallback


Type: System.IO.Stream

A Stream object used by the SslStream for sending and receiving data.

Type: System.Boolean

A Boolean value that indicates the closure behavior of the Stream object used by the SslStream for sending and receiving data. This parameter indicates if the inner stream is left open.

Type: System.Net.Security.RemoteCertificateValidationCallback

A RemoteCertificateValidationCallback delegate responsible for validating the certificate supplied by the remote party.

Type: System.Net.Security.LocalCertificateSelectionCallback

A LocalCertificateSelectionCallback delegate responsible for selecting the certificate used for authentication.

Exception Condition

innerStream is not readable.


innerStream is not writable.


innerStream is null.


innerStream is equal to Null.

When you specify true for the leaveStreamOpen parameter, closing the SslStream has no effect on the innerStream stream; you must explicitly close innerStream when you no longer need it.

The userCertificateValidationCallback delegate's certificateErrors argument contains any Windows error codes returned by the channel Security Support Provider Interface (SSPI). The return value of the method invoked by the userCertificateValidationCallback delegate determines whether authentication succeeds.

The security protocol and cryptographic algorithms are already selected when the userCertificateValidationCallback delegate's method is invoked. You can use the method to determine whether the selected cryptographic algorithms and strengths are sufficient for your application. If not, the method should return false to prevent the SslStream from being created.

The userCertificateSelectionCallback delegate is useful when your application has multiple certificates and must dynamically choose a certificate. Certificates in the "MY" store are passed to the method invoked by the delegate.

If a value is not specified in the configuration file for encryptionpolicy, the EncryptionPolicy defaults to EncryptionPolicy.RequireEncryption for the SslStream instance that is constructed.

The use of the Null cipher is required when the encryption policy is set to EncryptionPolicy.NoEncryption.


The Framework caches SSL sessions as they are created and attempts to reuse a cached session for a new request, if possible. When attempting to reuse an SSL session, the Framework uses the first element of P:System.Net.HttpWebRequest.ClientCertificates (if there is one), or tries to reuse an anonymous sessions if P:System.Net.HttpWebRequest.ClientCertificates is empty.


The Framework attempts to reuse an SSL session only if a client certificate is not required.

The following code example demonstrates calling this constructor. This example is part of a larger example provided for the SslStream class.

// Server name must match the host name and the name on the host's certificate. 
serverName = args[0];
// Create a TCP/IP client socket.
TcpClient client = new TcpClient(serverName,80);
Console.WriteLine("Client connected.");
// Create an SSL stream that will close the client's stream.
SslStream sslStream = new SslStream(
    new RemoteCertificateValidationCallback (ValidateServerCertificate), 
    new LocalCertificateSelectionCallback(SelectLocalCertificate)

.NET Framework
Available since 2.0
Return to top