How to ignore the certificate check when ssl

Question

I am trying find a way to ignore the certificate check when request a Https resource, so far, I found some helpful article in internet.

But I still have some problem. Please review my code. I just don't understand what does the code ServicePointManager.ServerCertificateValidationCallback mean.

When will this delegate method be called? And one more question, in which place should I write this code? Before ServicePointManager.ServerCertificateValidationCallback execute or before Stream stream = request.GetRequestStream()?

public HttpWebRequest GetRequest() { CookieContainer cookieContainer = new CookieContainer(); // Create a request to the server HttpWebRequest request = (HttpWebRequest)WebRequest.Create(_remoteUrl); #region Set request parameters request.Method = _context.Request.HttpMethod; request.UserAgent = _context.Request.UserAgent; request.KeepAlive = true; request.CookieContainer = cookieContainer; request.PreAuthenticate = true; request.AllowAutoRedirect = false; #endregion // For POST, write the post data extracted from the incoming request if (request.Method == "POST") { Stream clientStream = _context.Request.InputStream; request.ContentType = _context.Request.ContentType; request.ContentLength = clientStream.Length; ServicePointManager.ServerCertificateValidationCallback = delegate( Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return (true); }; Stream stream = request.GetRequestStream(); .... } .... return request; } }

Possible duplicate of C# Ignore certificate errors?

Matyas
– Matyas

2016-02-26 09:20:03 +00:00
Commented Feb 26, 2016 at 9:20 — Matyas
– Matyas, Commented Feb 26, 2016 at 9:20

Adam Venezia · Accepted Answer · 2017-02-16 21:22:18Z

215

For anyone interested in applying this solution on a per request basis, this is an option and uses a Lambda expression. The same Lambda expression can be applied to the global filter mentioned by blak3r as well. This method appears to require .NET 4.5.

String url = "https://www.stackoverflow.com"; HttpWebRequest request = HttpWebRequest.CreateHttp(url); request.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

In .NET 4.0, the Lambda Expression can be applied to the global filter as such

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

edited Feb 16, 2017 at 21:22

answered Sep 4, 2013 at 21:47

Adam Venezia

2,7512 gold badges18 silver badges10 bronze badges

Sign up to request clarification or add additional context in comments.

8 Comments

Timo Over a year ago

Is there any per-request solution for FtpWebRequest?

Nacht Over a year ago

It seems to exist fine in my 4.0

The Senator Over a year ago

I think is by far a nicer solution to the 'global' variant, although of course I can understand why you would want it. Personally I favour a request factory which then manages this validation callback. Thanks Adam, nice solution.

Fred Over a year ago

Returning true is something you can do when experimenting during development, however it is insecure. It should be a conditional.

Adam Venezia Over a year ago

Using (HttpWebRequest)WebRequest.Create(url) is perfectly valid, but on my box, HttpWebRequest.Create(url) still exists in a project targeting .Net 4.6.2. Chef's choice, but at this point HttpClient is probably the better API to use.

|

Sani Huttunen · Accepted Answer · 2012-09-20 06:26:31Z

77

Since there is only one global ServicePointManager, setting ServicePointManager.ServerCertificateValidationCallback will yield the result that all subsequent requests will inherit this policy. Since it is a global "setting" it would be prefered to set it in the Application_Start method in Global.asax.

Setting the callback overrides the default behaviour and you can yourself create a custom validation routine.

answered Sep 20, 2012 at 6:26

Sani Huttunen

24.4k7 gold badges78 silver badges82 bronze badges

10 Comments

B. Clay Shannon-B. Crow Raven Over a year ago

What about for a client that has no Global.asax? I am calling a REST service running on the local network from a handheld device.

Sani Huttunen Over a year ago

The question is specific to HttpWebRequest. If you're using any other means you'll have to look in the documentation how to accomplish this.

B. Clay Shannon-B. Crow Raven Over a year ago

I'm using WebRequest, which gets cast to HttpWebRequest, such as: ((HttpWebRequest)request).Accept = contentType;

Sani Huttunen Over a year ago

As stated in my answer: it is PREFERRED to set it in Global.asax not a requirement. You can even set it before the call to the REST service.

Sani Huttunen Over a year ago

See this link for a possible solution.

|

blak3r · Accepted Answer · 2013-04-29 22:38:35Z

This worked for me:

System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; // **** Always accept };

Snippet from here: http://www.west-wind.com/weblog/posts/2011/Feb/11/HttpWebRequest-and-Ignoring-SSL-Certificate-Errors

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
Always returning true is insecure. It should conditionally return true.

Andrej Rommel · Accepted Answer · 2015-08-13 12:57:27Z

32

Also there is the short delegate solution:

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

answered Aug 13, 2015 at 12:57

Andrej Rommel

4287 silver badges8 bronze badges

5 Comments

Fred Over a year ago

Always returning true is insecure.

Andrej Rommel Over a year ago

Yes, always trusting all SSL certificates is insecure by definition. Avoid doing so if possible.

Kiquenet Over a year ago

@AndrejRommel what is your way recommended?

Andrej Rommel Over a year ago

The recommended way is to create a valid SSL certificate and properly utilize it if you have control over the server. We ended up creating one using letsencrypt.org.

Dan Chase Over a year ago

@AndrejRommel Interesting enough I'm getting this with a HttpWebRequest and it's suddenly throwing exceptions related to this, but the cert is good, I wish more articles explained the mechanism behind what HttpWebRequest is validating that others are not, but everything just says to turn it off, which I know is wrong!

Rich Hildebrand · Accepted Answer · 2020-05-14 17:00:17Z

For .net core

using (var handler = new HttpClientHandler()) { // allow the bad certificate handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => true; using (var httpClient = new HttpClient(handler)) { await httpClient.PostAsync("the_url", null); } }

Irvin Dominin · Accepted Answer · 2018-07-23 16:06:52Z

Just incidentally, this is a the least verbose way of turning off all certificate validation in a given app that I know of:

ServicePointManager.ServerCertificateValidationCallback = (a, b, c, d) => true;

Sheldon · Accepted Answer · 2018-12-18 16:46:57Z

Rather than adding a callback to ServicePointManager which will override certificate validation globally, you can set the callback on a local instance of HttpClient. This approach should only affect calls made using that instance of HttpClient.

Here is sample code showing how ignoring certificate validation errors for specific servers might be implemented in a Web API controller.

using System.Net.Http; using System.Net.Security; using System.Security.Cryptography.X509Certificates; public class MyController : ApiController { // use this HttpClient instance when making calls that need cert errors suppressed private static readonly HttpClient httpClient; static MyController() { // create a separate handler for use in this controller var handler = new HttpClientHandler(); // add a custom certificate validation callback to the handler handler.ServerCertificateCustomValidationCallback = ((sender, cert, chain, errors) => ValidateCert(sender, cert, chain, errors)); // create an HttpClient that will use the handler httpClient = new HttpClient(handler); } protected static ValidateCert(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors) { // set a list of servers for which cert validation errors will be ignored var overrideCerts = new string[] { "myproblemserver", "someotherserver", "localhost" }; // if the server is in the override list, then ignore any validation errors var serverName = cert.Subject.ToLower(); if (overrideCerts.Any(overrideName => serverName.Contains(overrideName))) return true; // otherwise use the standard validation results return errors == SslPolicyErrors.None; } }

Won't this only work for .NET Core? (Or whenever ServerCertificateCustomValidationCallback was added to HttpClientHandler)?
This solution should work in .Net Framework 4.5 and later as well as .Net Core (although I have not tested it in .Net Core).
@Sheldon, this was a gem :) Used in in my localhost api-calls between a .net and a .net core app with success. Nice workaround without accepting all.

Jesse Chisholm · Accepted Answer · 2014-03-06 17:43:37Z

Mention has been made that before .NET 4.5 the property on the request to access its ServicePointManager was not available.

Here is .NET 4.0 code that will give you access to the ServicePoint on a per-request basis. It doesn't give you access to the per-request callback, but it should let you find out more details about the problem. Just access the scvPoint.Certificate (or ClientCertificate if you prefer) properties.

WebRequest request = WebRequest.Create(uri); // oddity: these two .Address values are not necessarily the same! // The service point appears to be related to the .Host, not the Uri itself. // So, check the .Host vlaues before fussing in the debugger. // ServicePoint svcPoint = ServicePointManager.FindServicePoint(uri); if (null != svcPoint) { if (!request.RequestUri.Host.Equals(svcPoint.Address.Host, StringComparison.OrdinalIgnoreCase)) { Debug.WriteLine(".Address == " + request.RequestUri.ToString()); Debug.WriteLine(".ServicePoint.Address == " + svcPoint.Address.ToString()); } Debug.WriteLine(".IssuerName == " + svcPoint.Certificate.GetIssuerName()); }

Agreed! But then, this OP is about how to ignore them, not trust them.
Anyways, Using ServicePoint I cannot always trusting all SSL certificates, neither ignore all certificates, because has not ServerCertificateValidationCallback delegate in ServicePoint

dev_O · Accepted Answer · 2019-07-29 02:09:28Z

CA5386 : Vulnerability analysis tools will alert you to these codes.

Correct code :

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => { return (sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) != SslPolicyErrors.RemoteCertificateNotAvailable; };

Andrej Grobler · Accepted Answer · 2014-05-08 07:12:03Z

Based on Adam's answer and Rob's comment I used this:

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => certificate.Issuer == "CN=localhost";

which filters the "ignoring" somewhat. Other issuers can be added as required of course. This was tested in .NET 2.0 as we need to support some legacy code.

@karank Sorry for late reply - It can be added anywhere before the actual call, eg. before calling request.GetResponse(). Note that Issuer might contain something else in your case though.

Santiago Game Lover · Accepted Answer · 2020-03-03 12:13:45Z

Unity C# Version of this solution:

void Awake() { System.Net.ServicePointManager.ServerCertificateValidationCallback += ValidateCertification; } void OnDestroy() { ServerCertificateValidationCallback = null; } public static bool ValidateCertification(object sender, X509Certificate certificate, X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }

Upvote this because Unity throws on any get or set of handler.ServerCertificateCustomValidationCallback

dev_O · Accepted Answer · 2019-04-15 01:09:17Z

Expressed explicitly ...

ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(CertCheck); private static bool CertCheck(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error) { return true; }

Miguel Tomás · Accepted Answer · 2021-05-13 15:18:36Z

On .NetCore 3.1 you can resolve this issue by declaring a custom validation method.

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

So before making a request, declare this callback method

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create("https://someurl.com/service/"); HttpWebResponse response = (HttpWebResponse)webRequest.GetResponse();

This way, validation will always pass as your custom method always returns true value.

Osa E · Accepted Answer · 2018-11-26 00:12:10Z

Several answers above work. I wanted an approach that I did not have to keep making code changes and did not make my code unsecure. Hence I created a whitelist. Whitelist can be maintained in any datastore. I used config file since it is a very small list.

My code is below.

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, error) => { return error == System.Net.Security.SslPolicyErrors.None || certificateWhitelist.Contains(cert.GetCertHashString()); };

MCattle · Accepted Answer · 2013-07-05 22:15:35Z

Adding to Sani's and blak3r's answers, I've added the following to the startup code for my application, but in VB:

'** Overriding the certificate validation check. Net.ServicePointManager.ServerCertificateValidationCallback = Function(sender, certificate, chain, sslPolicyErrors) True

Seems to do the trick.

Simon_Weaver · Accepted Answer · 2017-11-21 20:35:34Z

Tip: You can also use this method to track certificates that are due to expire soon. This can save your bacon if you discover a cert that is about to expire and can get it fixed in time. Good also for third party companies - for us this is DHL / FedEx. DHL just let a cert expire which is screwing us up 3 days before Thanksgiving. Fortunately I'm around to fix it ... this time!

 private static DateTime? _nextCertWarning; private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error) { if (error == SslPolicyErrors.None) { var cert2 = cert as X509Certificate2; if (cert2 != null) { // If cert expires within 2 days send an alert every 2 hours if (cert2.NotAfter.AddDays(-2) < DateTime.Now) { if (_nextCertWarning == null || _nextCertWarning < DateTime.Now) { _nextCertWarning = DateTime.Now.AddHours(2); ProwlUtil.StepReached("CERT EXPIRING WITHIN 2 DAYS " + cert, cert.GetCertHashString()); // this is my own function } } } return true; } else { switch (cert.GetCertHashString()) { // Machine certs - SELF SIGNED case "066CF9CAD814DE2097D367F22D3A7E398B87C4D6": return true; default: ProwlUtil.StepReached("UNTRUSTED CERT " + cert, cert.GetCertHashString()); return false; } } }

Make sure to handle the situation where your alerting mechanism can have an expired cert - or you'll end up with a stackoverflow!
Sorry that’s just my own method to call the Prowl API which can send notifications to my phone. However you want to log it is good. I like to be bugged on my phone for things like this!

Collectives™ on Stack Overflow

How to ignore the certificate check when ssl

16 Answers 16

8 Comments

10 Comments

3 Comments

5 Comments

Comments

Comments

3 Comments

2 Comments

Comments

1 Comment

1 Comment

Comments

Comments

Comments

Comments

3 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

16 Answers 16

8 Comments

10 Comments

3 Comments

5 Comments

Comments

Comments

3 Comments

2 Comments

Comments

1 Comment

1 Comment

Comments

Comments

Comments

Comments

3 Comments

Linked

Related