Ignoring SSL Certificate errors programmatically

Sometimes you will encounter the issue, that you are trying to access a web based application (web site, web service, idk and it doesn’t matter) which is sitting behind a SSL secured connection. Because SSL certificates singed by globally and systemwide accepted players are a bit expensive, it is not unusual to create such certificates on your own, which is indeed safe too, but the computer systems all over the world aren’t able to recognize that, because they don’t know you as a certificate creator. This will cause people accessing your SSL secured content to see warnings in browsers, that there seems to be a problem with the SSL certificate. If you are accessing such content manually using a browser, you are able to just click „accept that shit anyway“ and your browsers moves you directly to the content.

Using .NET the situation is a bit harder. Normally, when you are trying to access contents using HTTPS (e.g. SSL) connections and there is at least one problem with the connection or the certificate, your web request will fail and raise a System.Net.WebException with an inner exception pointing to the root problem. So you have to find a way, to ignore incorrect SSL certificates for your requests programmatically and in fact, this is of course possible. Just one hint: Don’t do that generally. Secured connections are of course important for security infrastructures, so you should be able to rely on what you use and get and of course what you send over such APIs. In fact, only do that ignoring for API servers you exactly know and where you know, that the certificates are okay, but not signed b Versisign or so.

First you need to include some namespaces, if you haven’t done that yet.

using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

Custom validation is done in a callback function which is defined as the event handler for a special event (we will have a look at that soon). So you need that callback function:

// Callback used to validate the certificate in an SSL conversation
private bool ValidateRemoteCertificate(object sender, X509Certificate certificate, 
    X509Chain chain, SslPolicyErrors policyErrors)
{
    return IgnoreSslErrors || policyErrors == SslPolicyErrors.None;
}

I defined an attribute in my web access wrapper class called „IgnoreSslErrors“ which is used in the callback funtion. If this is set to true, your invalid certificate will be ignored, otherwise the certificate needs to be valid. Do not change the signature of the method, because it will be used as an event handler.

In your block where you are creating the HttpWebRequest instance, just make the following definition:

ServicePointManager.ServerCertificateValidationCallback += 
    ValidateRemoteCertificate;

That’s it.

GD Star Rating
loading...

Ähnliche Einträge:

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *


*

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>