What is the best way to handle invalid SSL certificates in C #

Question

What is the best way to handle invalid SSL certificates in C #

I use the following code to make sure all certificates have passed, even invalid ones, but I would like to know if there is a better way, since this event is called globally, and I want the certificate to pass only for a specific HTTP call and not for others that occur asynchronously.

// This delegate makes sure that non-validating SSL certificates are passed ServicePointManager.ServerCertificateValidationCallback = delegate(object certsender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error) { return true; };

The above code is just an example of ignoring any non-audit certificate. The problem I am having is that this is a global event. I don’t see at what session the event is taking place. I can have several HTTP requests, and I want to ask the user the action for each request .

+4

http c # ssl

Mladen mihajlovic 24 sept '08 at 20:06

source share

2 answers

Well, you could really check out some of these options .;) For example, if you have a signed certificate, then let the error == SslPolicyErrors.RemoteCertificateChainError through. You can also check the issuer, name, etc. In the certificate itself for added security.

+1

Mark brackett 24 sept '08 at 20:59

source share

Alexander · Accepted Answer · 2008-09-25T14:23:14+0000

What about the certsender argument? Does it have anything reasonable so you can find out what the callback is for? I checked the .NET API, but it does not say it should contain an argument ...

What is the best way to handle invalid SSL certificates in C #

More articles: