4

Have a net 4.6.2 project (System.Net.Http 4.0). Have a httpclient connection that works fine when disable ssl verification, but its done using ServicePointManager.

Had some trouble finding how to disable this on a handler / client level in 4.6.

The following works:

ServicePointManager.ServerCertificateValidationCallback += (sender,certificate,chain,sslPolicyErrors) => true;
var handler = new HttpClientHandler();
var client = new HttpCLient(handler);

But when looking at msdn documentation, httpclienthandler does not seem to support ServerCertificateValidationCallback (or the 'dangerous' option) on 4.6 (its not avaible in code, and not ClientCertificates either).

So the question is how to disable this on client / handler / message level in 4.6?

Base
  • 1,061
  • 1
  • 11
  • 27
  • 2
    There is a difference of disabling on Server and disabling on Client. A Client cannot go to a lower security level than what the server supports. If the Server requires the higher level security you do not want the client to be able to override. – jdweng Nov 01 '19 at 11:32
  • The only valid reason for disabling SSL certification is development using a self-signed certificate, or calling an internal server that uses a self-signed certificate. The *real* solution is to trust that certificate on the client, not disable validation – Panagiotis Kanavos Nov 01 '19 at 11:38
  • You can *easily* get a free valid server certificate from Let's Encrypt for. In a Windows Domain, you have the additional option of using Certificate Services to issue trusted certificates for all servers in the domain – Panagiotis Kanavos Nov 01 '19 at 11:39
  • The code in question is just for testing, so nothing that will ever touch any form of production environment. But i do still prefer not to affect other calls made in the project. I have no control at all over the endpoint im calling. – Base Nov 01 '19 at 11:42

1 Answers1

4

You can use WebRequestHandler and its ServerCertificateValidationCallback property.

var handler = new WebRequestHandler()
{
    ServerCertificateValidationCallback = ....
};
var client = new HttpClient(handler);
canton7
  • 37,633
  • 3
  • 64
  • 77
  • 1
    This seemed to work once referencing System.Http.Net.WebRequest. Thanks for the input. – Base Nov 01 '19 at 18:45
  • how can we turn this validation on request level? for .net framework 4.8+, it can be done by specifying `HttpClientHandler.ServerCertificateCustomValidationCallback`. But this is not available in earlier version .net framework... – Roy Ling Jun 28 '22 at 03:52
  • 1
    @RoyLing my answer should work for 4.7.2 and above. I don't believe this is possible with HttpClient before then – canton7 Jun 29 '22 at 06:44
  • @canton7 thank you, later I realized that the first parameter of this callback `sender` is exactly an instance of `System.Net.HttpWebRequest`. So it means the callback is executed on request level. – Roy Ling Jul 08 '22 at 05:41
  • @RoyLing Yes, that was the question. It has always been possible to customise SSL verification globally, as described in the question – canton7 Jul 09 '22 at 21:43