Best IT Recipes

Bypassing an invalid SSL certificate in the .net kernel

I am working on a project that needs to be connected to the https site. Every time I connect, my code throws an exception because the certificate for this site comes from an untrusted site. Is there a way to get around certificate verification in .net core http?

I saw this code from a previous version of .NET. I think I just need something like this.

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
+65
c # ssl asp.net-core ssl-certificate
Jul 01 '16 at 6:57
source share
7 answers

ServicePointManager.ServerCertificateValidationCallback is not supported in .Net Core.

The current situation is that this will be the new ServerCertificateCustomValidationCallback method for the upcoming 4.1 contract. * System.Net.Http (HttpClient). The .NET Core team is finalizing a 4.1 contract. You can read about it in here on github

You can try the preliminary version of System.Net.Http 4.1 using the sources directly here in CoreFx or in the MYGET channel: https://dotnet.myget.org/gallery/dotnet-core

Current definition of WinHttpHandler.ServerCertificateCustomValidationCallback on Github

+21
Jul 01 '16 at 7:52
source share

You can override SSL certificate verification for an HTTP call using an anonymous callback function, for example

 using (var httpClientHandler = new HttpClientHandler()) { httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; }; using (var client = new HttpClient(httpClientHandler)) { // Make your request... } }

In addition, I suggest using the factory template for HttpClient because it is a shared object that cannot be deleted immediately, and therefore the connections will remain open .

+93
Jun 14 '17 at 8:57
source share

Came here to look for the answer to the same problem, but I use WCF for NET Core. If you are in the same boat, use:

 client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication() { CertificateValidationMode = X509CertificateValidationMode.None, RevocationMode = X509RevocationMode.NoCheck };
+21
Jan 16 '17 at 20:07 on
source share

I solve with this:

Startup.cs

 public void ConfigureServices(IServiceCollection services) { services.AddHttpClient("HttpClientWithSSLUntrusted").ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler { ClientCertificateOptions = ClientCertificateOption.Manual, ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) => { return true; } });

YourService.cs

 public UserService(IHttpClientFactory clientFactory, IOptions<AppSettings> appSettings) { _appSettings = appSettings.Value; _clientFactory = clientFactory; } var request = new HttpRequestMessage(... var client = _clientFactory.CreateClient("HttpClientWithSSLUntrusted"); HttpResponseMessage response = await client.SendAsync(request);
+11
Apr 03 '19 at 13:09 on
source share

I ran into the same issue when working with self-signed certificates and client certificate authentication in .NET Core 2.2 and Docker Linux containers. Everything worked fine on my Windows computer, but in Docker I got this error:

System.Security.Authentication.AuthenticationException: remote certificate is not valid according to the verification procedure

Fortunately, the certificate was created using a chain. Of course, you can always ignore this decision and use the above solutions.

So here is my solution:

  1. I saved the certificate using Chrome on my computer in P7B format.

  2. Convert the certificate to PEM format with this command:
    openssl pkcs7 -inform DER -outform PEM -in <cert>.p7b -print_certs > ca_bundle.crt

  3. Open ca_bundle.crt and delete all Subject entries, leaving a clean file. Example below:

  -----BEGIN CERTIFICATE----- _BASE64 DATA_ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- _BASE64 DATA_ -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- _BASE64 DATA_ -----END CERTIFICATE-----
  1. Put these lines in the Dockerfile (in the last steps):
  # Update system and install curl and ca-certificates RUN apt-get update && apt-get install -y curl && apt-get install -y ca-certificates # Copy your bundle file to the system trusted storage COPY ./ca_bundle.crt /usr/local/share/ca-certificates/ca_bundle.crt # During docker build, after this line you will get such output: 1 added, 0 removed; done. RUN update-ca-certificates
  1. In the application:
  var address = new EndpointAddress("https://serviceUrl"); var binding = new BasicHttpsBinding { CloseTimeout = new TimeSpan(0, 1, 0), OpenTimeout = new TimeSpan(0, 1, 0), ReceiveTimeout = new TimeSpan(0, 1, 0), SendTimeout = new TimeSpan(0, 1, 0), MaxBufferPoolSize = 524288, MaxBufferSize = 65536, MaxReceivedMessageSize = 65536, TextEncoding = Encoding.UTF8, TransferMode = TransferMode.Buffered, UseDefaultWebProxy = true, AllowCookies = false, BypassProxyOnLocal = false, ReaderQuotas = XmlDictionaryReaderQuotas.Max, Security = { Mode = BasicHttpsSecurityMode.Transport, Transport = new HttpTransportSecurity { ClientCredentialType = HttpClientCredentialType.Certificate, ProxyCredentialType = HttpProxyCredentialType.None } } }; var client = new MyWSClient(binding, address); client.ClientCredentials.ClientCertificate.Certificate = GetClientCertificate("clientCert.pfx", "passwordForClientCert"); // Client certs must be installed client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication { CertificateValidationMode = X509CertificateValidationMode.ChainTrust, TrustedStoreLocation = StoreLocation.LocalMachine, RevocationMode = X509RevocationMode.NoCheck };

GetClientCertificate Method:

 private static X509Certificate2 GetClientCertificate(string clientCertName, string password) { //Create X509Certificate2 object from .pfx file byte[] rawData = null; using (var f = new FileStream(Path.Combine(AppContext.BaseDirectory, clientCertName), FileMode.Open, FileAccess.Read)) { var size = (int)f.Length; var rawData = new byte[size]; f.Read(rawData, 0, size); f.Close(); } return new X509Certificate2(rawData, password); }
+2
Jan 03 '19 at 14:50
source share

In .NetCore, you can add the following code snippet in the service configuration method. I added a check to make sure that we skip the SSL certificate only in the development environment

 services.AddHttpClient("HttpClientName", client => { // code to configure headers etc.. }).ConfigurePrimaryHttpMessageHandler(() => { var handler = new HttpClientHandler(); if (hostingEnvironment.IsDevelopment()) { handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; }; } return handler; });
-one
Mar 20 '19 at 20:46
source share

Yes, open the application before any hacker. Great idea. It will take me about two minutes to create a fake certificate for any site (with the built-in MacOS X functionality, most likely available in both Windows and Linux, as well as in a similar form). Redirecting your site requires a hacker a little longer, but that is not a problem.

If the site has a broken or outdated certificate, you go to the site administrator, give him a good kick and tell him to fix his site. Under no circumstances should you even consider using https with a broken certificate.

-twenty
Jul 01 '16 at 7:59
source share


More articles:


All Articles