Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
West Wind WebSurge - Rest Client and Http Load Testing for Windows

Accepting invalid Certificates for WCF/Web Services/HttpWebRequest gets easier

On this page:

Looks like .NET 3.0/3.5 has updated functionality to allow setting certificate certificate polices. In fact I noticed that the old mechanism I showed in an earlier post has been marked as obsolete, but there's a nicer replacement mechanism available now.

I frequently use Certificate policy to disable certificate validation while testing SSL requests. In more than a few scenarios I've ended up trying to call test Web services that are secured with expired or otherwise invalid certs and it can be useful - for testing purposes at least - to bypass these certificates.

Another scenario where this comes up is for tracing SSL requests. I tend to use Fiddler most of the time but it doesn't do well with SSL, so I use Charles when it comes to SSL requests. Charles interjects into requests with its own local certificate and then forwards the original request data to the actual Web Server. This tends to work with browser requests, but usually fails with WCF/Web Services and HttpWebRequest. WinInet had flags for turning off various kinds of failure - in .NET the solution in the past has been to provide a specific CertifictePolicy class implementation and pointing at this class from ServicePointManager object.

The concept's still the same in .NET 3.5 as in the above post - you provide a custom policy but rather than having to create a new class you can now simply implement a delegate callback. If you use an anonymous delegate the code becomes quite simple and more importantly self contained so no external classes are required:

// *** Allow acceptance of all certificates

if (this.IngoreCertificateErrors)

    ServicePointManager.ServerCertificateValidationCallback +=

        delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

        { return true; };

Of course you can be a little more selective with your code in the code block in between but for simply accepting any cert in a debug environment the above will work.

As mentioned in the previous post ServicePointManager is a process wide static object so changing a setting here affects any other requests in the application or maybe more importantly any subsequent ones. I haven't found a way to do this on the active connection only which seems kind of a drag... So be careful setting the certificate policy and make sure you actually want to affect it process wide or else reset the policy when done with the service or HTTP client call.

Posted in .NET  CSharp  

The Voices of Reason


Aaron Fischer
December 12, 2007

# re: Accepting invalid Certificates for WCF/Web Services/HttpWebRequest gets easier

Fiddler2 supports ssl it works in the same way you describe Charles. You can always turn Fiddler on and trust the "do not trust cert", if your dare. This will allow you app to accept the certificate.

Sam S.
May 15, 2014

# re: Accepting invalid Certificates for WCF/Web Services/HttpWebRequest gets easier

Thank you for writing this entry. 7 years later, but still relevant. It was extremely useful today in helping me resolve issues with an expired certificate quickly.

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024