All geek questions in one place

Does HttpWebRequest automatically perform certificate verification?

I am using an HttpWebRequest object to access a web service through an HTTP POST. Part of the requirement is that I:

  • Make sure the URL of the certificate matches the URL that I am sending to
  • Verify that the certificate is valid and trusted.
  • Verify that the certificate has not expired.

Can HttpWebRequest automatically handle this for me? I would suggest that if any of these conditions occurred, I would get the standard exception "failed to establish trust for the SSL / TLS exception."

+4
source share
2 answers

Yes Yes. You must use this code if you want to disable this feature.

+2
source

Not really. You still need to check if sslpolicyerror is returned using the callback function. Make sure you test your implementation using the URL https://rootkit.com/ , which uses a self-configuring certificate.

void InitPhase() { // Override automatic validation of SSL server certificates. ServicePointManager.ServerCertificateValidationCallback = ValidateServerCertficate; } private static bool ValidateServerCertficate( object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { // Good certificate. return true; } log.DebugFormat("SSL certificate error: {0}", sslPolicyErrors); bool certMatch = false; // Assume failure byte[] certHash = cert.GetCertHash(); if (certHash.Length == apiCertHash.Length) { certMatch = true; // Now assume success. for (int idx = 0; idx < certHash.Length; idx++) { if (certHash[idx] != apiCertHash[idx]) { certMatch = false; // No match break; } } } // Return true => allow unauthenticated server, // false => disallow unauthenticated server. return certMatch; }
0
source

Source: https://habr.com/ru/post/1308814/

More articles:


All Articles