.NET tip for dealing with bad SSL Certs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

.NET tip for dealing with bad SSL Certs

Gordon Weakliem

One problem I ran into when working with the JASIG CAS .NET client was that my test server does not have a real certificate – it’s a self-signed thing which works in theory but will cause connection failures in .NET unless you take measures to ignore those errors.  The problem I ended up with is the browser reported an infinite redirect because the web app could never perform the validation callback because the SSL CONNECT was failing due to an untrusted root error.

 

The System.Net.ServicePointManager.ServerCertificateValidationCallback gives you a way to ignore errors with SSL certificates.  I modified the Global.asax of the ExampleWebSite to ignore these errors.  WARNING: you should not use this setup for a production system; the code I’ve given will happily accept any SSL Cert, no matter how bogus.  You can check the docs for RemoteCertificateValidationCallback to see how you can refine it to ignore only certain classes of problems, but I still wouldn’t recommend modifying the default behavior on any kind of publicly accessible system – this kind of trick is strictly for development environments.

 

<%@ Application Language="C#" %>

<%@ Import Namespace="System.Net.Security" %>

<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>

<script runat="server">

    public bool RemoteCertificateValidationCallback(

       Object sender,

       X509Certificate certificate,

       X509Chain chain,

       SslPolicyErrors sslPolicyErrors

)

    {

        // DANGEROUS!  completely disable SSL validation if the test server has a bad Cert / bad Cert chain

        return true;

    }

 

    void Application_Start(object sender, EventArgs e)

    {

        log4net.Config.XmlConfigurator.Configure();

       // WARNING: Disable SSL validation for all WebRequests out of this application.  DO NOT use this on a production server!

        System.Net.ServicePointManager.ServerCertificateValidationCallback += RemoteCertificateValidationCallback;

    }

</script>

 

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user