locked
Can I tell Windows 8 apps to ignore security certificate errors?

    Question

  • I am using a QA service for a client with a self signed certificate, and I am getting the following error from WinJS.xhr:

    SCRIPT7002: XMLHttpRequest: Network Error 0x800c0019, Security certificate required to access this resource is invalid.

    If I use Fiddler, I can tell it to ignore the chain error, but if I run without Fiddler, Windows 8 just gives up on it.

    Can I tell Windows 8 UI apps to ignore chain errors?

    S


    Check out my new C# 2010 All In One for Dummies book at Amazon!

    Monday, August 13, 2012 7:06 PM

Answers

All replies

  • You cannot.  What is your scenario and why do you require this?

    -Jeff


    Jeff Sanders (MSFT)

    Monday, August 13, 2012 7:19 PM
    Moderator
  • I have a client that has a self signed service. I can get around it by just trusting the signer, but I was looking for a lazy man's way out.

    Check out my new C# 2010 All In One for Dummies book at Amazon!

    Tuesday, August 14, 2012 3:16 PM
  • You CAN install the cert for your client app if you include it in the manifest.

    See several of the posts I have on this:http://social.msdn.microsoft.com/Forums/en-ZA/winappswithcsharp/thread/4a776e8c-0e10-4f03-908f-7f765d914080

    -Jeff


    Jeff Sanders (MSFT)

    • Marked as answer by Bill SempfMVP Wednesday, August 15, 2012 11:40 AM
    Tuesday, August 14, 2012 3:23 PM
    Moderator
  • Ooh, I did not know that you could do that.

    Here have more karma!

    S


    Check out my new C# 2010 All In One for Dummies book at Amazon!

    Wednesday, August 15, 2012 11:40 AM
  • I read in the forum the following entries and a lot of more about there is no way to ignore
    certification errors on client side:

    http://social.msdn.microsoft.com/Forums/en-US/winappswithcsharp/thread/4a776e8c-0e10-4f03-908f-7f765d914080
    http://social.msdn.microsoft.com/Forums/en-US/winappswithcsharp/thread/a21c64fc-21c3-4f4c-a47f-f929d6ab5661

    You asks for scenarion here. Here is a concret scenarion, where we need to ignore certification errrors.

    Our Plan is an app for different customer home routers, which must be accessed with https.
    The customer specific address for the home router, is a dynamic domain name system
    (DDNS) address which configured by the customers. The router generates an individual certificate for every
    customers router. So we can't add a certificate to our Project. Is there a way to do this?

    Thanks for your help.
    Sunday, November 11, 2012 10:52 AM
  • No, given your requirements ("The router generates an individual certificate for every
    customers router. So we can't add a certificate to our Project") you cannot do anything that would allow you to bypass the errors and successfully connect.  Thanks for the scenario as well.

    -Jeff


    Jeff Sanders (MSFT)

    Monday, November 12, 2012 1:14 PM
    Moderator
  • Many enterprise customers care a lot less about man in the middle attacks as they do about the cost of deploying certificates to their SSL enabled appliances. For them self-signed is fine. Please consider putting in the callback so that apps can let the end user decide.
    Wednesday, June 05, 2013 9:29 PM
  • No, given your requirements ("The router generates an individual certificate for every
    customers router. So we can't add a certificate to our Project") you cannot do anything that would allow you to bypass the errors and successfully connect.  Thanks for the scenario as well.

    -Jeff


    Jeff Sanders (MSFT)

    Hi Jeff,

    I have another scenario as well: TiVo. Each TiVo device has a self-generated cert that's unique to the device. As of now, there's no possible way to make a Win8/8.1 TiVo app as it's impossible to connect to the device.

    Thursday, September 19, 2013 4:24 PM
  • You can do this now using Windows.Web.HttpClient

    http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.httpclient.aspx


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)


    Thursday, September 19, 2013 5:15 PM
    Moderator
  • Here is a simple example of ignoring some cert errors:

    public MainPage()
            {
                this.InitializeComponent();
                var bpf = new HttpBaseProtocolFilter();
                
                bpf.IgnorableServerCertificateErrors.Add(ChainValidationResult.Expired);
                bpf.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);
                bpf.IgnorableServerCertificateErrors.Add(ChainValidationResult.InvalidName);
    
                aclient = new HttpClient(bpf);
                
                testCert();
            }
    
            private async void testCert()
            {
            HttpRequestMessage aReq = new HttpRequestMessage(HttpMethod.Get, new Uri("https://jsanders4"));
            try
            {
                
                HttpResponseMessage aResp = await aclient.SendRequestAsync(aReq);
                var errors = aReq.TransportInformation.ServerCertificateErrors;
            }
            catch (Exception ex)
            {
    
            }
    
    
            }

    PS. In general this is very dangerous.

    You and your team should read https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html -- it’s an absolutely frightening paper on why changing SSL policies results in completely broken, non-existing security, and why developer and testers keep on missing gross security errors.

    To make this a little better you could inspect the errors for the cert and make a more logical decision and then retry.


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)


    Thursday, September 19, 2013 8:02 PM
    Moderator
  • Hi Jeff,

    can you possibly tell me how to use this code with an .asmx SOAP webservice?

    Currently I am calling the SOAP methods with a ServiceSoapClient, and it works perfectly if the certificate is installed
    However, if it isn't, I get the "Could not establish trust relationship for the SSL/TLS secure channel" Exception.

    In the Desktop Application we used  

    System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate { return true; };

    I realize your code is the WinRT-version of this Callback - but how do I use it with the ServiceSoapClient?

    Wednesday, July 09, 2014 9:55 AM
  • Hi Katho,

    If I remember correctly you can alter the service and use HttpClient to make the call.  The specifics are eluding me currently but if you dig into the generated code for the service you should be able to spot were the change needs to be (and share with everyone here)!


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Thursday, July 10, 2014 2:55 PM
    Moderator
  • Thanks for your answer Jeff,

    unfortunately I cannot change the service (because of different reasons)

    Is there any other way I can circumvent this exception?

    Wednesday, July 16, 2014 6:43 AM
  • How did you try and modify the SOAP client code?

    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Wednesday, July 16, 2014 11:47 AM
    Moderator