What is the best way of handling non-validating SSL certificates in C#
https://stackoverflow.com/questions/129544
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using the following code to make sure all certificates pass, even invalid ones, but I would like to know if there is a better way, as this event gets called globally and I only want the certificate to pass for a certain HTTP call and not for any others that are happening asynchronously.
// This delegate makes sure that non-validating SSL certificates are passed
ServicePointManager.ServerCertificateValidationCallback = delegate(object certsender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
};
The code above is just an example of ignoring any non-validation on the certificate. The problem that I'm having is that it is a global event. I can't see which session the event is happening for. I might have a couple of http requests going through and I want to ask the user for an action for each request.
Solution
What about the certsender argument? Does it contain anything sensible so that you can tell what connection the callback is happening for? I checked the .NET API but it doesn't say what the argument is supposed to contain...
OTHER TIPS
Well, you could actually bother to check some of those parameters. ;) For instance, if you have a self signed certificate, then only let error == SslPolicyErrors.RemoteCertificateChainError through. You could also check the issuer, name, etc. on the certificate itself for additional security.
