Databases
StackOverflow2013
Postsdbo
POHow to call the default certificate check when overriding ServicePointManager.ServerCertificateValidationCallback in C#?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to call the default certificate check when overriding ServicePointManager.ServerCertificateValidationCallback in C#?
    text
    copied!<p>I need to trust some self-signed certificates in the application, so I override validation callback like this:</p> <pre><code>ServicePointManager.ServerCertificateValidationCallback = MyRemoteCertificateValidationCallback; ... public static bool MyRemoteCertificateValidationCallback( Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) return true; if (IsAprrovedByMyApplication(sender, certificate)) // &lt;-- no matter what the check here is return true; else return false; // &lt;-- here I'd like to call the default Windwos handler rather than returning 'false' } </code></pre> <p>But when there're some policy errors, and the site I am connecting to is not approved by application, the Exception is thrown. The problem here is that it differs from standard Windows behavior.</p> <p>Consider this site: <a href="https://www.dscoduc.com/">https://www.dscoduc.com/</a></p> <p>It's certificate has an unknown issuer, and therefore untrusted. I have added it with MMC to the Local Copmuter's Trusted People (it's Windows 7).</p> <p>If I run this code without overriding certificate validation callback:</p> <pre><code>HttpWebRequest http = (HttpWebRequest)HttpWebRequest.Create("https://www.dscoduc.com/"); using (WebResponse resp = http.GetResponse()) { using (StreamReader sr = new StreamReader(resp.GetResponseStream())) { string htmlpage = sr.ReadToEnd(); } } </code></pre> <p>it connects successfully. <strong>It means that Windows default validator decided to trust this certificate.</strong></p> <p>But once I override the ServerCertificateValidationCallback, my callback is called with <em>SslPolicyErrors.RemoteCertificateChainErrors</em> and the chain contains one element with status <em>X509ChainStatusFlags.PartialChain</em> (in fact I would expect to receive no errors here, becuase current cert is supposed to be trusted)</p> <p>This site is not included in my trusted list, and do not want to return 'true' from my callback. But I don't want to return 'false' neither, or I'll get an Exception: "The remote certificate is invalid according to the validation procedure", which is obviously not expected for <a href="https://www.dscoduc.com/">https://www.dscoduc.com/</a>, becuase it's added to Trusted People store, and is approved by Windows when certificate callback is not overriden. So I want Windows to take the default validation procedure for this site. I don't want to look into Windows Trusted stores myself and go through all the chain elements, because it's already (and hopefully correctly) implemented in Windows.</p> <p><strong>In other words, I need to explicitly trust to sites approvied by the user (wich are stored somewhere in his settings), and call the default certification check for all others.</strong></p> <p>The default value for ServicePointManager.ServerCertificateValidationCallback is null, so there's no 'default' callback for me to call later. How should I call this 'default' certificate handler?</p> <p>Thanks</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload