Bypassing Certificate Validation in .NET

July 24, 2007

Why would you ever want to bypass certification verification? …Well, maybe if you’re testing a web service that’s under development and you don’t own a valid certificate yet like me.

It took a while to figure this out. I was convinced it would be something simple, and it was…

The code below implements a custom certificate validation method that does nothing. You could customize the TrustAllCertificatesCallback method to execute your own meaningful validation, my example simply validates every request. Notice my nifty TODO comment? I wrote this as a temporary fix and I was a little paranoid I’d forget to take this line out.

I’ve only tested this with WSE3 (Microsoft Web Service Enhancements v3) on the client side talking to a Java implementation of Axis2 on the server side. …But this should work with WSE3/.Net on whatever.

    static class Program
    {
        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        [STAThread]
        static void Main()
        {
            // TODO: REMOVE THIS LINE BEFORE GOING INTO PRODUCTION!!!
            ServicePointManager.ServerCertificateValidationCallback =
                TrustAllCertificatesCallback;
            Application.EnableVisualStyles();
            Application.SetCompatibleTextRenderingDefault(false);
            Application.Run(new Form1());
        }

        public static bool TrustAllCertificatesCallback(
            object sender, X509Certificate cert,
            X509Chain chain, SslPolicyErrors errors)
        {
            return true;
        }
    }

Posted by 8r13n
Filed in .NET, C#, Technology
6 Comments »

6 Responses to “Bypassing Certificate Validation in .NET”

  1. Alex W Says:

    August 1, 2007 at 10:38 am

    nerd alert!Dive, dive, dive!!!!Tiefer!!Noch tiefer!!!
    🙂 I love you brien!
    Alex

    P.S In the friendly way, not the Roman Senator-schoolboy way 🙂

    Reply
  2. Darshan Thacker Says:

    August 11, 2008 at 11:46 pm

    Hi,

    I am trying to develop a page like which validates on client side that that client is having this certificate than only allow that client otherwise not anyone esle should not be allowed to view that.
    how to make this with this article..can you please tell me the idea.

    thanks

    Reply
  3. 8r13n Says:

    August 12, 2008 at 9:44 am

    If you only want to allow some certs, add your code to validate the certificate in the
    TrustAllCertificatesCallback method like this…

    public static bool TrustAllCertificatesCallback(
    object sender, X509Certificate cert,
    X509Chain chain, SslPolicyErrors errors)
    {
    bool allow = false;
    if (i_want_to_allow_it) {
    allow=true;
    }
    return allow;
    }

    Reply
  4. Kishore Says:

    March 30, 2009 at 12:04 am

    Brian,

    Great blog.

    I have one question. Is is possible to do this from a web project? In that case, where will we put this code? In global.asax?

    Thanks,

    Kishore

    Reply
  5. 8r13n Says:

    March 31, 2009 at 12:53 pm

    This should work if you drop it into the Application_OnStart event of the global.asax.

    By the way, I’m unemployed so if you know of any C# work please let me know.

    You only need this code…

    ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;

    public static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
    {
    //Allow or disallow things manually here.
    return true;
    }

    Reply
  6. rao Says:

    May 31, 2009 at 9:04 pm

    Hi,

    I have a website which should validate the incoming https requests/certificate which are coming to my server.

    Please let me know how to handle incoming https requests.

    Thanks

    Reply

Leave a comment