Bypassing Certificate Validation in .NET

July 24, 2007

Why would you ever want to bypass certification verification? …Well, maybe if you’re testing a web service that’s under development and you don’t own a valid certificate yet like me.

It took a while to figure this out. I was convinced it would be something simple, and it was…

The code below implements a custom certificate validation method that does nothing. You could customize the TrustAllCertificatesCallback method to execute your own meaningful validation, my example simply validates every request. Notice my nifty TODO comment? I wrote this as a temporary fix and I was a little paranoid I’d forget to take this line out.

I’ve only tested this with WSE3 (Microsoft Web Service Enhancements v3) on the client side talking to a Java implementation of Axis2 on the server side. …But this should work with WSE3/.Net on whatever.

    static class Program
    {
        /// <summary>
        /// The main entry point for the application.
        /// </summary>

        [STAThread]
        static void Main()
        {
            // TODO: REMOVE THIS LINE BEFORE GOING INTO PRODUCTION!!!
            ServicePointManager.ServerCertificateValidationCallback =
                TrustAllCertificatesCallback;
            Application.EnableVisualStyles();
            Application.SetCompatibleTextRenderingDefault(false);
            Application.Run(new Form1());
        }

        public static bool TrustAllCertificatesCallback(
            object sender, X509Certificate cert,
            X509Chain chain, SslPolicyErrors errors)
        {
            return true;
        }
    }

About these ads

6 Responses to “Bypassing Certificate Validation in .NET”

  1. Alex W Says:

    nerd alert!Dive, dive, dive!!!!Tiefer!!Noch tiefer!!! :) I love you brien!
    Alex

    P.S In the friendly way, not the Roman Senator-schoolboy way :)

  2. Darshan Thacker Says:

    Hi,

    I am trying to develop a page like which validates on client side that that client is having this certificate than only allow that client otherwise not anyone esle should not be allowed to view that.
    how to make this with this article..can you please tell me the idea.

    thanks

  3. 8r13n Says:

    If you only want to allow some certs, add your code to validate the certificate in the
    TrustAllCertificatesCallback method like this…

    public static bool TrustAllCertificatesCallback(
    object sender, X509Certificate cert,
    X509Chain chain, SslPolicyErrors errors)
    {
    bool allow = false;
    if (i_want_to_allow_it) {
    allow=true;
    }
    return allow;
    }

  4. Kishore Says:

    Brian,

    Great blog.

    I have one question. Is is possible to do this from a web project? In that case, where will we put this code? In global.asax?

    Thanks,

    Kishore

  5. 8r13n Says:

    This should work if you drop it into the Application_OnStart event of the global.asax.

    By the way, I’m unemployed so if you know of any C# work please let me know.

    You only need this code…

    ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;

    public static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
    {
    //Allow or disallow things manually here.
    return true;
    }

  6. rao Says:

    Hi,

    I have a website which should validate the incoming https requests/certificate which are coming to my server.

    Please let me know how to handle incoming https requests.

    Thanks


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: