How to ignore the certificate check when ssl

Question

I am trying find a way to ignore the certificate check when request a Https resource  so far  I found some helpful article in internet    But I still have some problem  Please review my code  I just don t understand what does the code ServicePointManager ServerCertificateValidationCallback mean   When will this delegate method be called  And one more question  in which place should I write this code  Before ServicePointManager ServerCertificateValidationCallback execute or before Stream stream   request GetRequestStream      public HttpWebRequest GetRequest         CookieContainer cookieContainer   new CookieContainer            Create a request to the server     HttpWebRequest request    HttpWebRequest WebRequest Create  remoteUrl         region Set request parameters      request Method    context Request HttpMethod      request UserAgent    context Request UserAgent      request KeepAlive   true      request CookieContainer   cookieContainer      request PreAuthenticate   true      request AllowAutoRedirect   false        endregion         For POST  write the post data extracted from the incoming request     if  request Method     POST                 Stream clientStream    context Request InputStream          request ContentType    context Request ContentType          request ContentLength   clientStream Length           ServicePointManager ServerCertificateValidationCallback   delegate              Object obj  X509Certificate certificate  X509Chain chain               SslPolicyErrors errors                                return  true                               Stream stream   request GetRequestStream                                                       return request

User · Answer

Tip  You can also use this method to track certificates that are due to expire soon  This can save your bacon if you discover a cert that is about to expire and can get it fixed in time  Good also for third party companies - for us this is DHL   FedEx  DHL just let a cert expire which is screwing us up 3 days before Thanksgiving  Fortunately I m around to fix it     this time       private static DateTime   nextCertWarning      private static bool ValidateRemoteCertificate object sender  X509Certificate cert  X509Chain chain  SslPolicyErrors error                if  error    SslPolicyErrors None                        var cert2   cert as X509Certificate2              if  cert2    null                                    If cert expires within 2 days send an alert every 2 hours                 if  cert2 NotAfter AddDays -2   lt  DateTime Now                                        if   nextCertWarning    null     nextCertWarning  lt  DateTime Now                                                 nextCertWarning   DateTime Now AddHours 2                            ProwlUtil StepReached  CERT EXPIRING WITHIN 2 DAYS     cert  cert GetCertHashString          this is my own function                                                                    return true                    else                       switch  cert GetCertHashString                                     Machine certs - SELF SIGNED                 case  066CF9CAD814DE2097D367F22D3A7E398B87C4D6                            return true                   default                      ProwlUtil StepReached  UNTRUSTED CERT     cert  cert GetCertHashString                         return false

User · Answer

For  net core  using  var handler   new HttpClientHandler              allow the bad certificate     handler ServerCertificateCustomValidationCallback    request  cert  chain  errors    gt  true      using  var httpClient   new HttpClient handler                 await httpClient PostAsync  the url   null

User · Answer

Unity C  Version of this solution   void Awake         System Net ServicePointManager ServerCertificateValidationCallback    ValidateCertification     void OnDestroy         ServerCertificateValidationCallback   null     public static bool ValidateCertification object sender  X509Certificate certificate  X509Chain chain  System Net Security SslPolicyErrors sslPolicyErrors        return true

User · Answer

Several answers above work  I wanted an approach that I did not have to keep making code changes and did not make my code unsecure  Hence I created a whitelist  Whitelist can be maintained in any datastore  I used config file since it is a very small list   My code is below   ServicePointManager ServerCertificateValidationCallback     sender  cert  chain  error    gt        return error    System Net Security SslPolicyErrors None    certificateWhitelist Contains cert GetCertHashString

User · Answer

Just incidentally  this is a the least verbose way of turning off all certificate validation in a given app that I know of   ServicePointManager ServerCertificateValidationCallback    a  b  c  d    gt  true

User · Answer

Also there is the short delegate solution   ServicePointManager ServerCertificateValidationCallback   delegate   return true

User · Answer

Rather than adding a callback to ServicePointManager which will override certificate validation globally  you can set the callback on a local instance of HttpClient  This approach should only affect calls made using that instance of HttpClient   Here is sample code showing how ignoring certificate validation errors for specific servers might be implemented in a Web API controller   using System Net Http  using System Net Security  using System Security Cryptography X509Certificates   public class MyController   ApiController           use this HttpClient instance when making calls that need cert errors suppressed     private static readonly HttpClient httpClient       static MyController                    create a separate handler for use in this controller         var handler   new HttpClientHandler                add a custom certificate validation callback to the handler         handler ServerCertificateCustomValidationCallback     sender  cert  chain  errors    gt  ValidateCert sender  cert  chain  errors                create an HttpClient that will use the handler         httpClient   new HttpClient handler              protected static ValidateCert object sender  X509Certificate cert  X509Chain chain  SslPolicyErrors errors                    set a list of servers for which cert validation errors will be ignored         var overrideCerts   new string                          myproblemserver                someotherserver                localhost                         if the server is in the override list  then ignore any validation errors         var serverName   cert Subject ToLower            if  overrideCerts Any overrideName   gt  serverName Contains overrideName    return true              otherwise use the standard validation results         return errors    SslPolicyErrors None

User · Answer

Since there is only one global ServicePointManager  setting ServicePointManager ServerCertificateValidationCallback will yield the result that all subsequent requests will inherit this policy  Since it is a global  setting  it would be prefered to set it in the Application Start method in Global asax   Setting the callback overrides the default behaviour and you can yourself create a custom validation routine

User · Answer

Based on Adam s answer and Rob s comment I used this   ServicePointManager ServerCertificateValidationCallback     sender  certificate  chain  sslPolicyErrors    gt  certificate Issuer     CN localhost     which filters the  ignoring  somewhat  Other issuers can be added as required of course  This was tested in  NET 2 0 as we need to support some legacy code

User · Answer

For anyone interested in applying this solution on a per request basis  this is an option and uses a Lambda expression  The same Lambda expression can be applied to the global filter mentioned by blak3r  as well  This method appears to require  NET 4 5   String url    https   www stackoverflow com   HttpWebRequest request   HttpWebRequest CreateHttp url   request ServerCertificateValidationCallback     sender  certificate  chain  sslPolicyErrors    gt  true    In  NET 4 0  the Lambda Expression can be applied to the global filter as such  ServicePointManager ServerCertificateValidationCallback     sender  certificate  chain  sslPolicyErrors    gt  true

User · Answer

Expressed explicitly      ServicePointManager ServerCertificateValidationCallback    new System Net Security RemoteCertificateValidationCallback CertCheck    private static bool CertCheck object sender  X509Certificate cert  X509Chain chain  System Net Security SslPolicyErrors error        return true

User · Answer

Mention has been made that before  NET 4 5 the property on the request to access its ServicePointManager was not available   Here is  NET 4 0 code that will give you access to the ServicePoint on a per-request basis  It doesn t give you access to the per-request callback  but it should let you find out more details about the problem  Just access the scvPoint Certificate  or ClientCertificate if you prefer  properties   WebRequest request   WebRequest Create uri       oddity  these two  Address values are not necessarily the same      The service point appears to be related to the  Host  not the Uri itself      So  check the  Host vlaues before fussing in the debugger     ServicePoint svcPoint   ServicePointManager FindServicePoint uri   if  null    svcPoint        if   request RequestUri Host Equals svcPoint Address Host  StringComparison OrdinalIgnoreCase                 Debug WriteLine   Address                     request RequestUri ToString             Debug WriteLine   ServicePoint Address        svcPoint Address ToString               Debug WriteLine   IssuerName                  svcPoint Certificate GetIssuerName

User · Answer

Adding to Sani s and blak3r s answers  I ve added the following to the startup code for my application  but in VB       Overriding the certificate validation check  Net ServicePointManager ServerCertificateValidationCallback   Function sender  certificate  chain  sslPolicyErrors  True   Seems to do the trick

User · Answer

CA5386   Vulnerability analysis tools will alert you to these codes   Correct code    ServicePointManager ServerCertificateValidationCallback     sender  certificate  chain  sslPolicyErrors    gt       return  sslPolicyErrors  amp  SslPolicyErrors RemoteCertificateNotAvailable     SslPolicyErrors RemoteCertificateNotAvailable

User · Answer

This worked for me   System Net ServicePointManager ServerCertificateValidationCallback    delegate object sender  System Security Cryptography X509Certificates X509Certificate certificate                          System Security Cryptography X509Certificates X509Chain chain                          System Net Security SslPolicyErrors sslPolicyErrors                return true          Always accept          Snippet from here  http   www west-wind com weblog posts 2011 Feb 11 HttpWebRequest-and-Ignoring-SSL-Certificate-Errors

[c#] How to ignore the certificate check when ssl

Examples related to c#

Examples related to ssl

Examples related to httpwebrequest

Examples related to certificate