locked
HttpClient and self-signed certificates RRS feed

  • Question

  • (working with WP8 and latest tools)

    I have the need to connect with HttpClient to sites that have self-signed certificates. As I understand, there is no way to bypass the trusted requirement(?).

    1. Is there a way to know if the failure was due to a non-trusted cert (it looks like a normal 404)?

    2. Is there a way of automating the process of aquiring the certificate and installing it on the phone (user prompt OK)?

    Thanks in advance,

      Nik

    Wednesday, April 2, 2014 8:42 AM

Answers

  • I don't know of any reliable way, in code, to determine if the 404 was due to certificate trust error. 

    If the certificate file is available as a file resource on a web server then you can use WebBrowserTask to direct the built-in browser to navigate to that resource and it will prompt the user, asking if they want to install the certificate, ex:

    WebBrowserTask wbt = new WebBrowserTask() {URL = "http://some.server.com/selfsigned.cer"};

    wbt.Show();

    However, installing self-signed certificate is a potential security risk and not recommended.  Once installed, there is no way for the user to remove a certificate short of factory reset.  Self-signed certificates are usually ok for testing during development but provide a false sense of security if used in production.

    FYI: In Windows Phone 8 a certificate trust error could also be due to CRL validation errors, which would generate the same 404 error but would not be solved by installing the root certificate.


    -Eric.

    Wednesday, April 2, 2014 4:10 PM

All replies

  • I don't know of any reliable way, in code, to determine if the 404 was due to certificate trust error. 

    If the certificate file is available as a file resource on a web server then you can use WebBrowserTask to direct the built-in browser to navigate to that resource and it will prompt the user, asking if they want to install the certificate, ex:

    WebBrowserTask wbt = new WebBrowserTask() {URL = "http://some.server.com/selfsigned.cer"};

    wbt.Show();

    However, installing self-signed certificate is a potential security risk and not recommended.  Once installed, there is no way for the user to remove a certificate short of factory reset.  Self-signed certificates are usually ok for testing during development but provide a false sense of security if used in production.

    FYI: In Windows Phone 8 a certificate trust error could also be due to CRL validation errors, which would generate the same 404 error but would not be solved by installing the root certificate.


    -Eric.

    Wednesday, April 2, 2014 4:10 PM
  • So there is no way of extracting the certificate from the HttpClient or response (it happens at network transport layer level)?
    Thursday, April 3, 2014 6:48 AM
  • Correct.  The SSL negotiation is handled internally and does not bubble up any event or expose any properties which would allow an application access to the certificate being evaluated.


    -Eric.

    Thursday, April 3, 2014 1:10 PM