Menu
To ignore the ssl certificate errors, I am setting ServicePointManager.ServerCertificateValidationCallback in a static method before making a HttpWebRequest. I only want this to be done for internal requests and so I am resetting the property to its default value in the finally block. But because it is a web application, will there be an issues when multiple threads are modifying the property?
Here is how I am using the property
public static String GetResource()
{
try
{
ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };
}
catch()
{
}
finally
{
ServicePointManager.ServerCertificateValidationCallback -= delegate { return false; };
}
}
511
If you need to override default certificate validation, consider one or more of the following:
ServerCertificateValidationCallback once and only once -- during application start up or possibly in a static constructor. This eliminates the risk of thread contention.Since you're making security more permissive, limit the behavior to debug builds with conditional compilation:
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback += Callback;
#endif
Finally, remember that your delegate is a rich function. You don't have to simply return true. You can interrogate the request and decide how to handle it.
ServicePointManager.ServerCertificateValidationCallback += Callback;
static bool Callback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (IsInternalRequest(sender))
{
return true;
}
else
{
return IsExternalRequestValid(sender, certificate, chain, sslPolicyErrors);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
