c# - Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

Question

I'm attempting to send emails programmatically using SmtpClient.Send. I am currently getting an AuthenticationException when attempting to send the email. This is because of the certificate validation procedure failing.

I know that the certificate is the correct one, but I also understand that it's not secure to trust all certificates much like the suggestions of doing this:

ServicePointManager.ServerCertificateValidationCallback += 
     (sender, certificate, chain, sslPolicyErrors) => { return true; };

So I was wondering if testing the Thumbprint for a known valid certificate thumbprint is secure enough, like so:

ServicePointManager.ServerCertificateValidationCallback +=
     (sender, certificate, chain, sslPolicyErrors) =>
     {
         if (sslPolicyErrors == SslPolicyErrors.None)
             return true;
         else if (certificate.GetCertHashString().Equals("B1248012B10248012B"))
             return true;

         return false;
     };

Answer 1

Yes.

The thumbprint is a SHA1 hash of the certificate, and while not absolutely impossible, is extremely difficult to forge.

In technical terms, there are currently no known feasable second-preimage attacks on SHA1.

However, if in any doubt, you may store the whole certificate, perhaps using the fingerprint as a key. Then you can compare the whole certificate against your stored, trusted certificate.