locked
SSL certificate validation with Microsoft.Owin self-hosted Web API RRS feed

  • Question

  • User118181566 posted

    I want to warn users about TLS connections with insecure certificates to a Microsoft.Owin self-hosted app similar to this (paraphrasing).

    public class Startup
    {
        public void Configuration(IAppBuilder appBuilder)
        {
            HttpConfiguration config = new HttpConfiguration();
            config.Routes.MapHttpRoute(
                    name: "API",
                    routeTemplate: "{controller}/{action}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
    
            appBuilder.UseWebApi(config);
        }
    }

    The ServerCertificateValidationCallback is never used in this situation, so this doesn't work:

    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateCertificate);

    How is certificate validation done for connections to a Microsoft.Owin application?

    Monday, June 22, 2020 11:18 PM

Answers

  • User-474980206 posted

    The ServerCertificateValidationCallback is used when the application makes a http say via HttpClient. What is the use case you are trying to code for.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 23, 2020 12:54 AM

All replies

  • User-474980206 posted

    The ServerCertificateValidationCallback is used when the application makes a http say via HttpClient. What is the use case you are trying to code for.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 23, 2020 12:54 AM
  • User118181566 posted

    Right.  I was thinking in terms of validating the client certificate but a quick check of the SSL handshake shows it only uses the server certificate.  There is no client certificate.

    Tuesday, June 23, 2020 11:46 AM