Allowing Untrusted SSL Certificates with HttpClient

Question

I m struggling to get my Windows 8 application to communicate with my test web API over SSL   It seems that HttpClient HttpClientHandler does not provide and option to ignore untrusted certificates like WebRequest enables you to  albeit in a  hacky  way with ServerCertificateValidationCallback    Any help would be much appreciated

User · Answer

Most answers here suggest to use the typical pattern:

using (var httpClient = new HttpClient())
{
 // do something
}

because of the IDisposable interface. Please don't!

Microsoft tells you why:

And here you can find a detailed analysis whats going on behind the scenes: You're using HttpClient wrong and it is destabilizing your software

Regarding your SSL question and based on Improper Instantiation antipattern # How to fix the problem

Here is your pattern:

class HttpInterface
{
 // https://docs.microsoft.com/en-us/azure/architecture/antipatterns/improper-instantiation/#how-to-fix-the-problem
 // https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient#remarks
 private static readonly HttpClient client;

 // static initialize
 static HttpInterface()
 {
  // choose one of these depending on your framework
  
  // HttpClientHandler is an HttpMessageHandler with a common set of properties
  var handler = new HttpClientHandler()
  {
      ServerCertificateCustomValidationCallback = delegate { return true; },
  };
  // derives from HttpClientHandler but adds properties that generally only are available on full .NET
  var handler = new WebRequestHandler()
  {
      ServerCertificateValidationCallback = delegate { return true; },
      ServerCertificateCustomValidationCallback = delegate { return true; },
  };

  client = new HttpClient(handler);
 }
 
 .....
 
 // in your code use the static client to do your stuff
 var jsonEncoded = new StringContent(someJsonString, Encoding.UTF8, "application/json");

 // here in sync
 using (HttpResponseMessage resultMsg = client.PostAsync(someRequestUrl, jsonEncoded).Result)
 {
  using (HttpContent respContent = resultMsg.Content)
  {
   return respContent.ReadAsStringAsync().Result;
  }
 }
}

User · Answer

If you re attempting to do this in a  NET Standard library  here s a simple solution  with all of the risks of just returning true in your handler  I leave safety up to you   var handler   new HttpClientHandler    handler ClientCertificateOptions   ClientCertificateOption Manual  handler ServerCertificateCustomValidationCallback         httpRequestMessage  cert  cetChain  policyErrors    gt        return true      var client   new HttpClient handler

User · Answer

For Xamarin Android this was the only solution that worked for me  another stack overflow post If you are using AndroidClientHandler  you need to supply a SSLSocketFactory and a custom implementation of HostnameVerifier with all checks disabled  To do this  you   ll need to  subclass AndroidClientHandler and override the appropriate methods  internal class BypassHostnameVerifier   Java Lang Object  IHostnameVerifier       public bool Verify string hostname  ISSLSession session                return true            internal class InsecureAndroidClientHandler   AndroidClientHandler       protected override SSLSocketFactory ConfigureCustomSSLSocketFactory HttpsURLConnection connection                return SSLCertificateSocketFactory GetInsecure 1000  null               protected override IHostnameVerifier GetSSLHostnameVerifier HttpsURLConnection connection                return new BypassHostnameVerifier             And then var httpClient   new System Net Http HttpClient new InsecureAndroidClientHandler

User · Answer

I found an example online which seems to work well   First you create a new ICertificatePolicy  using System Security Cryptography X509Certificates  using System Net   public class MyPolicy   ICertificatePolicy     public bool CheckValidationResult ServicePoint srvPoint  X509Certificate certificate  WebRequest request   int certificateProblem            Return True to force the certificate to be accepted      return true          Then just use this prior to sending your http request like so   System Net ServicePointManager CertificatePolicy   new MyPolicy      http   www terminally-incoherent com blog 2008 05 05 send-a-https-post-request-with-c

User · Answer

Or you can use for the HttpClient in the Windows Web Http namespace   var filter   new HttpBaseProtocolFilter     if DEBUG     filter IgnorableServerCertificateErrors Add ChainValidationResult Expired       filter IgnorableServerCertificateErrors Add ChainValidationResult Untrusted       filter IgnorableServerCertificateErrors Add ChainValidationResult InvalidName    endif using  var httpClient   new HttpClient filter

User · Answer

I found an example in this Kubernetes client where they were using X509VerificationFlags AllowUnknownCertificateAuthority to trust self-signed self-signed root certificates  I slightly reworked their example to work with our own PEM encoded root certificates  Hopefully this helps someone   namespace Utils     using System    using System Collections Generic    using System Linq    using System Net Security    using System Security Cryptography X509Certificates          lt summary gt        Verifies that specific self signed root certificates are trusted         lt  summary gt    public class HttpClientHandler   System Net Http HttpClientHandler              lt summary gt          Initializes a new instance of the  lt see cref  HttpClientHandler   gt  class           lt  summary gt           lt param name  pemRootCerts  gt The PEM encoded root certificates to trust  lt  param gt      public HttpClientHandler IEnumerable lt string gt  pemRootCerts              foreach  var pemRootCert in pemRootCerts                  var text   pemRootCert Trim            text   text Replace  -----BEGIN CERTIFICATE-----   string Empty           text   text Replace  -----END CERTIFICATE-----   string Empty           this rootCerts Add new X509Certificate2 Convert FromBase64String text                    this ServerCertificateCustomValidationCallback   this VerifyServerCertificate             private bool VerifyServerCertificate        object sender        X509Certificate certificate        X509Chain chain        SslPolicyErrors sslPolicyErrors                 If the certificate is a valid  signed certificate  return true        if  sslPolicyErrors    SslPolicyErrors None                  return true                    If there are errors in the certificate chain  look at each error to determine the cause        if   sslPolicyErrors  amp  SslPolicyErrors RemoteCertificateChainErrors     0                  chain ChainPolicy RevocationMode   X509RevocationMode NoCheck              add all your extra certificate chain         foreach  var rootCert in this rootCerts                      chain ChainPolicy ExtraStore Add rootCert                      chain ChainPolicy VerificationFlags   X509VerificationFlags AllowUnknownCertificateAuthority          var isValid   chain Build  X509Certificate2 certificate            var rootCertActual   chain ChainElements chain ChainElements Count - 1  Certificate          var rootCertExpected   this rootCerts this rootCerts Count - 1           isValid   isValid  amp  amp  rootCertActual RawData SequenceEqual rootCertExpected RawData            return isValid                    In all other cases  return false        return false             private readonly IList lt X509Certificate2 gt  rootCerts   new List lt X509Certificate2 gt

User · Answer

I don t have an answer  but I do have an alternative    If you use Fiddler2 to monitor traffic AND enable HTTPS Decryption  your development environment will not complain  This will not work on WinRT devices  such as Microsoft Surface  because you cannot install standard apps on them  But your development Win8 computer will be fine   To enable HTTPS encryption in Fiddler2  go to Tools   Fiddler Options   HTTPS  Tab    Check  Decrypt HTTPS Traffic    I m going to keep my eye on this thread hoping for someone to have an elegant solution

User · Answer

A quick and dirty solution is to use the ServicePointManager ServerCertificateValidationCallback delegate  This allows you to provide your own certificate validation  The validation is applied globally across the whole App Domain  ServicePointManager ServerCertificateValidationCallback         sender  cert  chain  sslPolicyErrors    gt  true   I use this mainly for unit testing in situations where I want to run against an endpoint that I am hosting in process and am trying to hit it with a WCF client or the HttpClient  For production code you may want more fine grained control and would be better off using the WebRequestHandler and its ServerCertificateValidationCallback delegate property  See dtb s answer below   Or ctacke answer using the HttpClientHandler  I am preferring either of these two now even with my integration tests over how I used to do it unless I cannot find any other hook

User · Answer

With Windows 8 1  you can now trust invalid SSL certs  You have to either use the Windows Web HttpClient or if you want to use the System Net Http HttpClient  you can use the message handler adapter I wrote  http   www nuget org packages WinRtHttpClientHandler  Docs are on the GitHub  https   github com onovotny WinRtHttpClientHandler

User · Answer

If this is for a Windows Runtime application  then you have to add the self-signed certificate to the project and reference it in the appxmanifest   The docs are here  http   msdn microsoft com en-us library windows apps hh465031 aspx  Same thing if it s from a CA that s not trusted  like a private CA that the machine itself doesn t trust  -- you need to get the CA s public cert  add it as content to the app then add it to the manifest   Once that s done  the app will see it as a correctly signed cert

User · Answer

If you are using System Net Http HttpClient I believe correct pattern is   var handler   new HttpClientHandler           ServerCertificateCustomValidationCallback   HttpClientHandler DangerousAcceptAnyServerCertificateValidator     var http   new HttpClient handler   var res   http GetAsync url

User · Answer

Have a look at the WebRequestHandler Class and its ServerCertificateValidationCallback Property   using  var handler   new WebRequestHandler          handler ServerCertificateValidationCallback            using  var client   new HttpClient handler

[c#] Allowing Untrusted SSL Certificates with HttpClient

Examples related to c#

Examples related to .net

Examples related to windows-8

Examples related to windows-runtime