Tuesday, 14 June 2016

Bypassing SSL in WebRequests

Using C#, there are two prevalent ways of making HTTP requests:
- using HttpWebRequest
- using HttpClient

When you have a cancellation token that you want to use, only the later provides the facility for that. So, there are scenarios for each method to be adopted is what I am getting at.

While accessing HTTPS sites whose SSL certificates are not trusted, we manually allow access in case of the browser. The same can b achieved via code using the following methods.

1. Setting ServerCertificateValidationCallback for the request.
This method only for the first method of making HTTP requests.

// provide a custom callback
request.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(SSLValidationDelegate);

// define the callback to allow always
private static bool SSLValidationDelegate(Object o, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors){
    return true;

2. Setting ServerCertificateValidationCallback for the ServicePointManager class.
This method essentially does the same but instead of doing it at the request level it does that for all.

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
HttpClient client = new HttpClient();
CancellationTokenSource cts = new CancellationTokenSource();
string url = "https://localhost/some/path";
HttpResponseMessage response = client.GetAsync(url, cts.Token).Result;

So when a cancellation needs to be used,we have to take the second route.

No comments: