Bypassing SSL Certificate Validation on DotNet Core Service Stack

Question

I know that ServicePointManager.ServerCertificateValidationCallback no longer exists in .Net Core and is instead replaced with:

using(var handler = new System.Net.Http.HttpClientHandler())
{
    using (var httpClient = new System.Net.Http.HttpClient(handler))
    {
        handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) =>
        {
            return true;
        };

    }
}

However we are currently using the ServiceStack.Core library which, as far as I can see, does not expose either a property like this or the handler itself.

How would I tell a ServiceStack client to bypass ssl validation in this code?

using(var client = new JsonServiceClient("https://www.google.com"))
{
    var response = client.Get("/results");
}

If there is a way, would this work the same on both Windows and Linux?

Answer 1

JsonServiceClient is built on .NET HttpWebRequest which has been rewritten in .NET Core as a wrapper over HttpClient so we'd generally recommend for .NET Core to avoid this overhead (which is much slower than .NET 4.5) and switch to using JsonHttpClient in ServiceStack.HttpClient instead as it uses HttpClient directly and where you can inject your own HttpClientHandler with:

var client = new JsonHttpClient(baseUrl)
{
    HttpMessageHandler = new HttpClientHandler
    {
        UseCookies = true,
        AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate,
        ServerCertificateCustomValidationCallback = (req,cert,chain,errors) => true
    }
};

Note it's recommended to reuse HttpClient instances so you should try to reuse HttpClient instances when possible and avoid disposing them.