What is the best way of handling non-validating SS

2019-05-04 15:17发布

I'm using the following code to make sure all certificates pass, even invalid ones, but I would like to know if there is a better way, as this event gets called globally and I only want the certificate to pass for a certain HTTP call and not for any others that are happening asynchronously.

// This delegate makes sure that non-validating SSL certificates are passed
ServicePointManager.ServerCertificateValidationCallback = delegate(object certsender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
   return true;
};

The code above is just an example of ignoring any non-validation on the certificate. The problem that I'm having is that it is a global event. I can't see which session the event is happening for. I might have a couple of http requests going through and I want to ask the user for an action for each request.

标签: c# http ssl
2条回答
一纸荒年 Trace。
2楼-- · 2019-05-04 15:19

Well, you could actually bother to check some of those parameters. ;) For instance, if you have a self signed certificate, then only let error == SslPolicyErrors.RemoteCertificateChainError through. You could also check the issuer, name, etc. on the certificate itself for additional security.

查看更多
疯言疯语
3楼-- · 2019-05-04 15:40

What about the certsender argument? Does it contain anything sensible so that you can tell what connection the callback is happening for? I checked the .NET API but it doesn't say what the argument is supposed to contain...

查看更多
登录 后发表回答