Contact   •   Products   •   Search

Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs

HttpWebRequest and Ignoring SSL Certificate Errors


Man I can't believe this. I'm still mucking around with OFX servers and it drives me absolutely crazy how some these servers are just so unbelievably misconfigured. I've recently hit three different 3 major brokerages which fail HTTP validation with bad or corrupt certificates at least according to the .NET WebRequest class. What's somewhat odd here though is that WinInet seems to find no issue with these servers - it's only .NET's Http client that's ultra finicky.

So the question then becomes how do you tell HttpWebRequest to ignore certificate errors? In WinInet there used to be a host of flags to do this, but it's not quite so easy with WebRequest.

Basically you need to configure the CertificatePolicy on the ServicePointManager by creating a custom policy. Not exactly trivial. Here's the code to hook it up:

public bool CreateWebRequestObject(string Url) 
{
    try 
    {
        this.WebRequest =  (HttpWebRequest) System.Net.WebRequest.Create(Url);
 
        if (this.IgnoreCertificateErrors)
            ServicePointManager.CertificatePolicy = delegate { return true; };
}

One thing to watch out for is that this an application global setting. There's one global ServicePointManager and once you set this value any subsequent requests will inherit this policy as well, which may or may not be what you want. So it's probably a good idea to set the policy when the app starts and leave it be - otherwise you may run into odd behavior in some situations especially in multi-thread situations.

Another way to deal with this is in you application .config file.

<configuration>

  <system.net>

    <settings>

      <servicePointManager

          checkCertificateName="false"

          checkCertificateRevocationList="false"         

      />

    </settings>

  </system.net>

</configuration>


This seems to work most of the time, although I've seen some situations where it doesn't, but where the code implementation works which is frustrating. The .config settings aren't as inclusive as the programmatic code that can ignore any and all cert errors - shrug.

Anyway, the code approach got me past the stopper issue. It still amazes me that theses OFX servers even require this. After all this is financial data we're talking about here. The last thing I want to do is disable extra checks on the certificates. Well I guess I shouldn't be surprised - these are the same companies that apparently don't believe in XML enough to generate valid XML (or even valid SGML for that matter)...

Make Donation
Posted in .NET  CSharp  HTTP  


Feedback for this Post

 
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by matt April 12, 2007 @ 7:59am
You can go another route

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
                            System.Security.Cryptography.X509Certificates.X509Chain chain,
                            System.Net.Security.SslPolicyErrors sslPolicyErrors)
        {
            return true; // **** Always accept
        };




http://mhinze.com/consuming-web-services-crafting-webrequests-using-ssl-where-the-cert-is-expired-or-otherwise-hosed/
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Rick Strahl April 12, 2007 @ 1:47pm
Thanks Matt - I changed that last night actually seeing that the code I posted is flagged as deprecated <s>. Still has the same issue though in that it's globally tied to the ServicePointManager and so will affect all HTTP sessions.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Aaron April 12, 2007 @ 3:30pm
I think you could check the Sender parameter, If its your webservice class invoke always true. If its not invoke the other policy delegate.
# DotNetSlackers: HttpWebRequest and Ignoring SSL Certificate Errors
by DotNetSlackers Latest ASP.NET News April 18, 2007 @ 5:10am
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Bob Wohler April 24, 2007 @ 11:21am
Is there a way to configure this using web.config?
# Rick Strahl's Web Log
by Rick Strahl's Web Log June 23, 2007 @ 5:51pm
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Richard Norris November 16, 2007 @ 9:04am
This is great, although I agree rather awkward compared to native WinInet API's. The classes to implement do not seem to exist in .NETCF2.0. Does anyone know the eqivilent code in .NETCF?

Many Thanks
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Seth January 26, 2008 @ 3:43pm
This is great for always ignoring the cert errors but what if I want to trap or log specific errors? What if I want to ignore an expired cert but do NOT want to ignore a cert where the cert is malformed (fer instance)?
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Rick Strahl January 27, 2008 @ 12:32am
That's what the actual method is for. You can look at the messages and log if you find a cert error.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by maila July 04, 2008 @ 12:21am
thanks i resolved my problem using this code.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by John Leger November 14, 2008 @ 8:43pm
Rick,

I have run into situations where the SSL is not the problem but rather the authority name is limited to one domain. In the situation where the certificate simply needs to be altered to include alternate domain names (SubjectAlternativeDomain) would you not agree this is advisable over simply ignoring all SSL Certificate errors? I was under the impression you could not trap the error when a user navigates to a secure page of an unauthorized certificate domain name but a valid App Domain. I was trying to solve in code via the Application_BeginRequest method.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Jason Fay January 13, 2009 @ 1:05pm
Thanks for posting this. Deprecated but works!
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Mike Bridge February 23, 2009 @ 2:41pm
Here's a more concise variant with 3.5:

ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain,
sslPolicyErrors) => true);
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Joel Holder March 05, 2010 @ 10:54am
Thanks for pulling this together Rick. Exactly what I needed to overcome lame cert on end that I don't control. Peace out..
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Chili April 28, 2010 @ 5:24am
I'm trying upload file to a server https but upload failed. This server is an Apache. I have the
trace and the socket is up but don't receive. I receive a Statuscode 200(OK). What's wrong?
Thanks in advance
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Alex September 16, 2010 @ 2:03pm
here's an even more concise form:
ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Johan Botha November 15, 2012 @ 9:10am
Rick,
I know this is old, but I wrote my own endpoint manager, that way I can call it and tell it to ignore cert errors for a specific url. The callback delegate will then run through that cached dictionary to see if it needs to ignore a cert error or not for the specific url. That seemed safer for me. Since all my Http calls go through a helper for that (part of its code probably came from your stuff), I have an endpoint definition that is passed in, which includes a flag on whether to ignore cert errors for that endpoint. It has worked very well, important to keep in mind multiple threads in the manager though, since we do 200 transactions per second.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Naveed Iqbal February 13, 2013 @ 1:37am
Where do I exactly place the code ? Currently I have placed in the Application_Start() event in the global.asax.cs
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Rick Strahl February 13, 2013 @ 2:16am
@Naveed - where you place it is up to you, but yes - usually application startup is the place to do it since it is effectively a global setting.
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by MS February 06, 2014 @ 4:55am
i get this error sometimes when i read outlook mail programmatically using IMAP.

"The remote certificate is invalid according to validation procedure:" Pls help :(
# re: HttpWebRequest and Ignoring SSL Certificate Errors
by Michael Bray October 21, 2014 @ 8:24am
FYI this can now be set per-connection on HttpWebRequest in .NET 4.5
 


West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2014