Working with an untrusted ssl certificate for c# Post

Question

We have created a certificate in IIS6 and applied it to a site using SSL. Now the same program we have used before will not work. As I understand it c# supports HTTPS transparently so I believe it must be with the "untrusted" cert. After turning the proxy setting off (was getting 403 forbidden error) , I receive "Could not establish trust relationship for the SSL"

I have tried a few work arounds like swapping the default cert policy with validation hack but it was very old and I still get the same error.

Below is my post method.

 try
    {
        HttpRequestCachePolicy policy = new HttpRequestCachePolicy(HttpRequestCacheLevel.NoCacheNoStore);
        HttpWebRequest.DefaultCachePolicy = policy;


        byte[] buffer = Encoding.UTF8.GetBytes(postData);
        //Initialisation
        HttpWebRequest WebReq = (HttpWebRequest)WebRequest.Create(url);
        WebReq.Timeout = 10000;
        //method is post

        if (useproxy == "ON")
        {
            WebProxy myProxy = new WebProxy();
            // Create a new Uri object.
            Uri newUri = new Uri(proxy);

            // Associate the new Uri object to the myProxy object.
            myProxy.Address = newUri;
            WebReq.Proxy = myProxy;
        }


        WebReq.KeepAlive = false;
        WebReq.Method = "POST";
        WebReq.ContentType = "application/x-www-form-urlencoded";


        //The length of the buffer 
        WebReq.ContentLength = buffer.Length;
        Stream PostData = WebReq.GetRequestStream();
        //write, and close. 
        PostData.Write(buffer, 0, buffer.Length);
        PostData.Close();

        //Get the response handle
        HttpWebResponse WebResp = (HttpWebResponse)WebReq.GetResponse();

        Console.WriteLine(WebResp.StatusCode);
        Console.WriteLine(WebResp.Server);

        //Do not worry about response!. 
        //read the response (the string), and output it.
        Stream Answer = WebResp.GetResponseStream();
        StreamReader _Answer = new StreamReader(Answer);
        vystup = _Answer.ReadToEnd();


        if (vystup != "OK")
        {

        }
    }
    catch (WebException ex)
    {

        Console.WriteLine(ex);
    }

Is there any workaround for the certificate or my app or in IIS that would resolve this? Presumably its C# not trusting the certificate but this is my first go at Https.

Any info at all is welcome.

Answer 1

By default, the .NET certificate policy will reject any unverified or untrusted server certificates, since 99% of the time that's what you want. (The only "bad" certificates that get through by default are expired, but otherwise valid ones.)

You have a few options, depending on the scale of the deployment you're talking about.

1. Install the server's certificate on the client as a trusted root certificate. For testing, this is hands down the easiest option, and I do it all the time with my dev machine's IIS and IIS Express certificates. Horrible idea for production though.

2. Use an internal CA to generate certificate; if you work for a company that has an Active Directory setup, the AD servers can act as a CA, and you can use group policy to push the AD server's CA root out to clients automatically. If you're deploying something internally, this is a good way to go because it's pretty cheap :)

3. Implement a ServerCertificateValidationCallback on the ServicePointManager class that ignores any SSL errors. The only real pitfall here is that this is a global setting, so every use of the WebRequest classes will use your custom validation callback.

Answer 2

I don't think this is working because you haven't requested that the WebRequest happen over SSL.

According to Microsoft, you need to add something like WebReq.EnableSsl = true;