Looks like .NET 3.0/3.5 has updated functionality to allow setting certificate certificate polices. In fact I noticed that the old mechanism I showed in an earlier post has been marked as obsolete, but there's a nicer replacement mechanism available now.

I frequently use Certificate policy to disable certificate validation while testing SSL requests. In more than a few scenarios I've ended up trying to call test Web services that are secured with expired or otherwise invalid certs and it can be useful - for testing purposes at least - to bypass these certificates.

Another scenario where this comes up is for tracing SSL requests. I tend to use Fiddler most of the time but it doesn't do well with SSL, so I use Charles when it comes to SSL requests. Charles interjects into requests with its own local certificate and then forwards the original request data to the actual Web Server. This tends to work with browser requests, but usually fails with WCF/Web Services and HttpWebRequest. WinInet had flags for turning off various kinds of failure - in .NET the solution in the past has been to provide a specific CertifictePolicy class implementation and pointing at this class from ServicePointManager object.

The concept's still the same in .NET 3.5 as in the above post - you provide a custom policy but rather than having to create a new class you can now simply implement a delegate callback. If you use an anonymous delegate the code becomes quite simple and more importantly self contained so no external classes are required:

// *** Allow acceptance of all certificates

if (this.IngoreCertificateErrors)

    ServicePointManager.ServerCertificateValidationCallback +=

        delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

        { return true; };

Of course you can be a little more selective with your code in the code block in between but for simply accepting any cert in a debug environment the above will work.

As mentioned in the previous post ServicePointManager is a process wide static object so changing a setting here affects any other requests in the application or maybe more importantly any subsequent ones. I haven't found a way to do this on the active connection only which seems kind of a drag... So be careful setting the certificate policy and make sure you actually want to affect it process wide or else reset the policy when done with the service or HTTP client call.