HttpWebRequest and Ignoring SSL Certificate Errors
Man I can't believe this. I'm still mucking around with OFX servers and it drives me absolutely crazy how some these servers are just so unbelievably misconfigured. I've recently hit three different 3 major brokerages which fail HTTP validation with bad or corrupt certificates at least according to the .NET WebRequest class. What's somewhat odd here though is that WinInet seems to find no issue with these servers - it's only .NET's Http client that's ultra finicky.
So the question then becomes how do you tell HttpWebRequest to ignore certificate errors? In WinInet there used to be a host of flags to do this, but it's not quite so easy with WebRequest.
Basically you need to configure the CertificatePolicy on the ServicePointManager by creating a custom policy. Not exactly trivial. Here's the code to hook it up:
public bool CreateWebRequestObject(string Url)
{ try {this.WebRequest = (HttpWebRequest) System.Net.WebRequest.Create(Url);
if (this.IgnoreCertificateErrors)
ServicePointManager.CertificatePolicy = delegate { return true; };
}
One thing to watch out for is that this an application global setting. There's one global ServicePointManager and once you set this value any subsequent requests will inherit this policy as well, which may or may not be what you want. So it's probably a good idea to set the policy when the app starts and leave it be - otherwise you may run into odd behavior in some situations especially in multi-thread situations.
Another way to deal with this is in you application .config file.
<configuration>
<system.net>
<settings>
<servicePointManager
checkCertificateName="false"
checkCertificateRevocationList="false"
/>
</settings>
</system.net>
</configuration>
This seems to work most of the time, although I've seen some situations where it doesn't, but where the code implementation works which is frustrating. The .config settings aren't as inclusive as the programmatic code that can ignore any and all cert errors - shrug.
Anyway, the code approach got me past the stopper issue. It still amazes me that theses OFX servers even require this. After all this is financial data we're talking about here. The last thing I want to do is disable extra checks on the certificates. Well I guess I shouldn't be surprised - these are the same companies that apparently don't believe in XML enough to generate valid XML (or even valid SGML for that matter)...
The Voices of Reason
# re: HttpWebRequest and Ignoring SSL Certificate Errors
I know this is old, but I wrote my own endpoint manager, that way I can call it and tell it to ignore cert errors for a specific url. The callback delegate will then run through that cached dictionary to see if it needs to ignore a cert error or not for the specific url. That seemed safer for me. Since all my Http calls go through a helper for that (part of its code probably came from your stuff), I have an endpoint definition that is passed in, which includes a flag on whether to ignore cert errors for that endpoint. It has worked very well, important to keep in mind multiple threads in the manager though, since we do 200 transactions per second.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
I realize the post is old... but not finding any real good solutions yet...
my domain jeffersonvaughn.com is hosting a website in which I am running a .net core 3.1 application that executes a POST method HTTP request to server jvaughn1.powerbunker.com
I have generated a certificate on the jvaughn1.powerbunker.com server and have exported to a .pfx file in which I'm using in my .net application.
this http api request along with this .pfx file works when using Postman.
When my .net application makes the request I get...
An unhandled exception occurred while processing the request.
AuthenticationException: The remote certificate is invalid according to the validation procedure.
System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
HttpRequestException: The SSL connection could not be established, see inner exception.
System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
my .net code looks like this...
startup...
var cert = new X509Certificate2(@"C:\Users\jeffe\Desktop\Corei Solutions\products\core-i_rst\Apache HTTP_SSL\jvaughn1.powerbunker.com.pfx"
, "corei");
var handler = new HttpClientHandler()
{
SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls
};
handler.ClientCertificates.Add(cert);
services.AddHttpClient("coreiClient", c =>
{
}).ConfigurePrimaryHttpMessageHandler(() => handler);
// handles issue with non-trusted certs...
ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };
controller...
var request = new HttpRequestMessage
{
Method = HttpMethod.Post,
//RequestUri = new Uri(Url + jsonRequest),
RequestUri = new Uri(g_Url),
Content = new StringContent(jsonRequest, System.Text.Encoding.Default, "text/plain"),
};
// for certificate authentication...
var client = _clientFactory.CreateClient("coreiClient");
client.DefaultRequestHeaders.Accept.Add(
new MediaTypeWithQualityHeaderValue("application/json"));
Is there ANY possible way you can help shed some light on this and save me from this nightmare I been trying to wake up from!!!??? 😃
# re: HttpWebRequest and Ignoring SSL Certificate Errors
Many Thanks
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
"The remote certificate is invalid according to validation procedure:" Pls help :(
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
trace and the socket is up but don't receive. I receive a Statuscode 200(OK). What's wrong?
Thanks in advance
# re: HttpWebRequest and Ignoring SSL Certificate Errors
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
return true; // **** Always accept
};http://mhinze.com/consuming-web-services-crafting-webrequests-using-ssl-where-the-cert-is-expired-or-otherwise-hosed/
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
I have run into situations where the SSL is not the problem but rather the authority name is limited to one domain. In the situation where the certificate simply needs to be altered to include alternate domain names (SubjectAlternativeDomain) would you not agree this is advisable over simply ignoring all SSL Certificate errors? I was under the impression you could not trap the error when a user navigates to a secure page of an unauthorized certificate domain name but a valid App Domain. I was trying to solve in code via the Application_BeginRequest method.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
# re: HttpWebRequest and Ignoring SSL Certificate Errors
ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain,
sslPolicyErrors) => true);
# re: HttpWebRequest and Ignoring SSL Certificate Errors
ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };
# re: HttpWebRequest and Ignoring SSL Certificate Errors
This code requires .NET 4.5 or a later version.