Bypassing Certificate Validation in .NET
July 24, 2007
Why would you ever want to bypass certification verification? …Well, maybe if you’re testing a web service that’s under development and you don’t own a valid certificate yet like me.
It took a while to figure this out. I was convinced it would be something simple, and it was…
The code below implements a custom certificate validation method that does nothing. You could customize the TrustAllCertificatesCallback method to execute your own meaningful validation, my example simply validates every request. Notice my nifty TODO comment? I wrote this as a temporary fix and I was a little paranoid I’d forget to take this line out.
I’ve only tested this with WSE3 (Microsoft Web Service Enhancements v3) on the client side talking to a Java implementation of Axis2 on the server side. …But this should work with WSE3/.Net on whatever.
static class Program
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
// TODO: REMOVE THIS LINE BEFORE GOING INTO PRODUCTION!!!
ServicePointManager.ServerCertificateValidationCallback =
TrustAllCertificatesCallback;
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Form1());
}
public static bool TrustAllCertificatesCallback(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors errors)
{
return true;
}
}
August 1, 2007 at 10:38 am
nerd alert!Dive, dive, dive!!!!Tiefer!!Noch tiefer!!!
🙂 I love you brien!
Alex
P.S In the friendly way, not the Roman Senator-schoolboy way 🙂
August 11, 2008 at 11:46 pm
Hi,
I am trying to develop a page like which validates on client side that that client is having this certificate than only allow that client otherwise not anyone esle should not be allowed to view that.
how to make this with this article..can you please tell me the idea.
thanks
August 12, 2008 at 9:44 am
If you only want to allow some certs, add your code to validate the certificate in the
TrustAllCertificatesCallback method like this…
public static bool TrustAllCertificatesCallback(
object sender, X509Certificate cert,
X509Chain chain, SslPolicyErrors errors)
{
bool allow = false;
if (i_want_to_allow_it) {
allow=true;
}
return allow;
}
March 30, 2009 at 12:04 am
Brian,
Great blog.
I have one question. Is is possible to do this from a web project? In that case, where will we put this code? In global.asax?
Thanks,
Kishore
March 31, 2009 at 12:53 pm
This should work if you drop it into the Application_OnStart event of the global.asax.
By the way, I’m unemployed so if you know of any C# work please let me know.
You only need this code…
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
public static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
//Allow or disallow things manually here.
return true;
}
May 31, 2009 at 9:04 pm
Hi,
I have a website which should validate the incoming https requests/certificate which are coming to my server.
Please let me know how to handle incoming https requests.
Thanks