0

I'm trying to intercept the validation of the returned server certificates in a .net framework application. I came with two solutions:

  1. Use HttpClientHandler.ServerCertificateValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>{ my implementation}

  2. Use ServicePointManager.ServerCertificateValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>{ my implementation}

Is there advantage for the use of one on another?

From the article it says

We don't recommend that you use the ServicePointManager class for new development. Instead, use the System.Net.Http.HttpClient class.

Is there any reason for that , other than ServicePointManager not being used in .net Core?

Gal I.
  • 201
  • 3
  • 12
  • Using `ServicePointManager` will set it for everything which is really bad. Much safer to constrain it to just the calls that it is needed for. – DavidG Jul 14 '22 at 15:29
  • Why are you using `ServerCertificateValidationCallback` instead of eg trusting the server's certificate on your machine? – Panagiotis Kanavos Jul 14 '22 at 15:39
  • @PanagiotisKanavos for example if I don't want the request to fail if revocation failed on RevocationStatusUnknown – Gal I. Jul 14 '22 at 15:51
  • 2
    Why would that happen if the certificate is trusted? The whole point of using HTTPS and certificates is to ensure you're talking to the real server instead of a fake. Not encryption. If you disable verification you essentially disable HTTPS. Besides, you *do* care about revocation, a lot. When certificates get stolen you *do* want to know whether they were revoked or not – Panagiotis Kanavos Jul 14 '22 at 16:00
  • _"Why XYZ isn't recommended for new developments"_ - Most often, it is simply because there are successors to XYZ and the legacy stuff is planned to get abandoned, phased out or _at least_ not supported. They may or may not come with old bugs and issues that will be dealt with that way. – Fildor Jul 14 '22 at 16:09
  • @Fildor I must say I'm not convinced there was ever a time that `ServerCertificateValidationCallback` *should* have been used, outside of debugging. So not just new code, even old code. – Charlieface Jul 14 '22 at 20:45
  • @Charlieface I guess so, yes. I was talking a little more generally. – Fildor Jul 14 '22 at 22:17

1 Answers1

0

ServicePointManager seems to have a few methods marked as obsolete: https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager?view=net-6.0#:~:text=this%20ServicePointManager%20object.-,Methods,-Equals(Object)

Looks like new classed with updated methods now exist. ServicePointManager is probably being kept around largely for compatibility with old versions.

YungDeiza
  • 3,128
  • 1
  • 7
  • 32