In a previous article I deal on How To test ssl based wcf service and part of the solution is to create a self issued certificate and make it valid inserting generated certificate in Trusted Root Certification Authority.

This operation makes that CA trusted and is an operation that is not so good if you really care on the security of your machine. There is also situation where you want to temporarily disable the check of the validity of the certificate, ES: you need to revoke certificate and issue another one with a new certification trusted authority , or basically you want your application to use a self issued https certificate in your intranet but you do not want to install that CA in everyone computer Trusted Root Certification Authority. Whatever is your need, sometimes there is the need to use WCF over https and ignore completely any certification error (untrusted CA, revoked certificate, etc)

A possible solution is disabling the check for certificate validity for the specific application, and it can be done in a real simple way. First of all handle the event ServerCertificateValidationCallback

ServicePointManager.ServerCertificateValidationCallback += 
  new RemoteCertificateValidationCallback(ValidateCertificate);

You can now simply assure that the certificate is always valid.

 public static bool ValidateCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
 {
       return true;
 }

This routine basically ignore every certification error, but you can inspect the variable sslPolicyError to understand the exact type of the error in certificate validation, if any. With these simple lines of code you are able to use WCF over HTTPS binding with a certificate that is revokes or that comes from an untrusted CA.

Gian Maria

Tags:

One Response to “Avoid WCF to test validity of HTTPS certificates”

Trackbacks/Pingbacks

  1. Distributed Weekly 186 — Scott Banwart's Blog