Improve the exception message in case of certificate name mismatch

[0xced]

Before this commit, the message was:

An error occurred while attempting to establish an SSL or TLS connection.

The host name did not match the name given in the server's SSL certificate.

After this commit, the message becomes:

An error occurred while attempting to establish an SSL or TLS connection.

The host name (smtp.contoso.com) did not match any of the names given in the server's SSL certificate:
• *.mail.eo.outlook.com
• *.mail.protection.outlook.com
• *.mail.protection.outlook.de
• *.olc.protection.outlook.com
• *.pamx1.hotmail.com
• mail.messaging.microsoft.com
• mail.protection.outlook.com
• outlook.com

Providing all the certificate subject alternative names directly in the error message will greatly help diagnosing certificate name mismatch issues.

It would have helped me to understand that smtp.contoso.com is an alias for contoso-com.mail.protection.outlook.com and that using the latter instead of the former solves the connection issue.

[jstedfast]

I like the idea, but I'm a bit uncomfortable with copying code from StackOverflow since code on StackOverflow is not licensed and that could end up being a potential legal problem.

The other problem is that the Asn1 APIs are only available for >= NET 5.0 which means that this patch will break the build for .NET Framework 4.x.

I'll look at ways of accomplishing the same thing but I can't use this patch as-is.

[0xced]

The Asn1 APIs are available through the System.Formats.Asn1 NuGet package for .NET Framework 4.x. I have added the package reference in the csproj:

<ItemGroup Condition=" $(TargetFramework.StartsWith('net4')) Or '$(TargetFramework)' == 'netstandard2.0' ">
  <PackageReference Include="System.Formats.Asn1" Version="7.0.0" />
  <PackageReference Include="System.Threading.Tasks.Extensions" Version="4.5.4" />
</ItemGroup>

About the licensing of StackOverflow content, it seems it's available under Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) but I am not a lawyer.

I used it to understand how to use the AsnReader class because the official documentation lacks any example. 🙄

Also, @skrysmanski, the author of the sample AsnReader code is also on GitHub so maybe he could give his consent. Bug again, I am not a lawyer.

[skrysmanski]

Instead of linking to my StackOverflow answer, you could link to this file (which is basically the same code):

https://github.com/skrysmanski/AppMotor/blob/main/src/AppMotor.Core/Certificates/SanExtensionHelpers.cs

This file is licensed under MIT license which should be easier to use.

Also, I don't have a problem with you using this code :)

[jstedfast]

@skrysmanski Thanks for chiming in and licensing this code under MIT (same as MimeKit/MailKit)!

[jstedfast]

I modified the patch a bit, mostly for formatting and to give attribution to Sebastian and the link he provided to use instead of the StackOverflow link.

Thanks again for the patch, this was a really nice idea to help improve the SslHandshakeException diagnostics message!

[0xced]

Awesome, it will be much easier to diagnose future connection errors next year when I won't remember to use the non-alias smtp host. 😁

I had picked version 7.0.0 of System.Formats.Asn1 instead of version 6.0.0 because v7 targets net462, exactly like MailKit but I really never know what version of those NuGet System.* package to choose. 😕

[jstedfast]

Don't worry, neither do I. I went with 6.0.0 because that's the version I'm using for everything else.

I'm not sure if I should target 7.0.0 or not.

I've been assuming 6.0.0 coincides with net6.0 but I'm not sure.