5

In my application I have situations in which I need to make a requests to servers that have self-signed certificates. I would like to be able to disable certificate validation only for that particular request.

I know I can disable certificate validate by setting ServicePointManager.ServerCertificateValidationCallback to point to a callback method and simply return true. However this then disables certificate validation for the entire application which I could simply do by setting in app.config.

However I do not want to disable for the entire application but rather disable for an individual request. Is that possible?

The class I am working with is SmtpClient

neontapir
  • 4,698
  • 3
  • 37
  • 52
Jim Scott
  • 2,493
  • 1
  • 18
  • 16

1 Answers1

0

Disabling the certificate validation is generally a bad idea. Why don't you simply add your custom certificate as trusted certificate on the system or in your application.

AFAIR this can be done e.g. by implementing your own X509CertificateValidator. Just embed the custom certificate into your application and compare in the X509CertificateValidator if both are equal.

See also: How safe is my custom SSL verification logic to handle excepted RemoteCertificateNameMismatch?

Community
  • 1
  • 1
Robert
  • 39,162
  • 17
  • 99
  • 152
  • Robert thaks for the response. In parts of our application we do not want to allow if a certificate is not valid. However in this particular case in which we are sending emails we want to use SSL but we are finding many clients have self-signed SSL certificates which result in a failure to send the email. Unfortunately this is to often the case for SMTP servers and it would be a nightmare to import a certificate for every smtp server that failed so we want to allow for SMTP the ability to accept certificate failures and other parts of our application to still enforce. – Jim Scott Oct 26 '11 at 17:49
  • Then may be you should use the validation scheme used also in the Android "K9" Mail-Client which has exactly the same problem. The first time it encounters an untrusted certificate it shows some certificate details ask the user if he/she trusts this certificate. If the user answers yes AFAIR it saves the certificate hash in the settings file marking this certificate as valid. The internal certificate validator then accepts all regular certificates plus the one with the saved hash. Works for everybody and is still relative secure. – Robert Oct 26 '11 at 18:06
  • Unfortunately this is a service so does not have a user interface and thus does not have any dialog that a user can click to accept the certificate. – Jim Scott Oct 27 '11 at 22:47