locked
How to ignore invalid certificate name RRS feed

  • Question

  • I use FtpWebRequest with EnableSsl = true. But I have some problem. The certificate name is invalid, and when I receive an error "The remote certificate is invalid according to the validation procedure". How can I ingore invalid name error on certificate?
    Friday, September 1, 2006 6:50 AM

Answers

  • You can validate the remote certificate using the remote certificate validation callback on the service point manager
    See the sample below

     

    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.Net;
    using System.IO;
    using System.Net.Security;
    using System.Security.Policy;
    using System.Security.Cryptography.X509Certificates;
    using System.Security.Cryptography;
    class Program
    {
     static void Main(string[] args)
     {
      Stream s = null;
      StreamReader sr = null;
      HttpWebResponse res = null;
      try{
          //Hook a callback to verify the remote certificate
          ServicePointManager.ServerCertificateValidationCallback =
            new RemoteCertificateValidationCallback(MyCertValidationCb); 

          HttpWebRequest req
            = (HttpWebRequest)
               WebRequest.Create("
    https://localhost/SecureNoClientCerts/test.htm");

       req.Proxy = null;

       res = req.GetResponse() as HttpWebResponse;
       s = res.GetResponseStream();
       sr = new StreamReader(s, Encoding.UTF8);
       Console.WriteLine(sr.ReadToEnd());
      }
      catch(Exception ex){
       Console.WriteLine(ex);
      }
      finally{
       if(res != null) res.Close();
       if(s != null) s.Close();
       if(sr != null) sr.Close();
      }
     }

      public static bool MyCertValidationCb(
            object sender,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors)
      {
        if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors)
                  == SslPolicyErrors.RemoteCertificateChainErrors)
        {
          return false;
        }
        else if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch)
                        == SslPolicyErrors.RemoteCertificateNameMismatch)
        {
          Zone z;
          z = Zone.CreateFromUrl(((HttpWebRequest)sender).RequestUri.ToString());
          if (z.SecurityZone == System.Security.SecurityZone.Intranet
            || z.SecurityZone == System.Security.SecurityZone.MyComputer)
          {
            return true;
          }
          return false;
        }
        return false;
      } 
    }

    Friday, September 1, 2006 2:36 PM
    Moderator

All replies

  • I use only FtpWebRequet with EnableSsl = true, but do not use SslStream.
    How can I ignore invalid certificate name when I use FtpWebRequest?
    Friday, September 1, 2006 12:32 PM
  • You can validate the remote certificate using the remote certificate validation callback on the service point manager
    See the sample below

     

    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.Net;
    using System.IO;
    using System.Net.Security;
    using System.Security.Policy;
    using System.Security.Cryptography.X509Certificates;
    using System.Security.Cryptography;
    class Program
    {
     static void Main(string[] args)
     {
      Stream s = null;
      StreamReader sr = null;
      HttpWebResponse res = null;
      try{
          //Hook a callback to verify the remote certificate
          ServicePointManager.ServerCertificateValidationCallback =
            new RemoteCertificateValidationCallback(MyCertValidationCb); 

          HttpWebRequest req
            = (HttpWebRequest)
               WebRequest.Create("
    https://localhost/SecureNoClientCerts/test.htm");

       req.Proxy = null;

       res = req.GetResponse() as HttpWebResponse;
       s = res.GetResponseStream();
       sr = new StreamReader(s, Encoding.UTF8);
       Console.WriteLine(sr.ReadToEnd());
      }
      catch(Exception ex){
       Console.WriteLine(ex);
      }
      finally{
       if(res != null) res.Close();
       if(s != null) s.Close();
       if(sr != null) sr.Close();
      }
     }

      public static bool MyCertValidationCb(
            object sender,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors)
      {
        if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors)
                  == SslPolicyErrors.RemoteCertificateChainErrors)
        {
          return false;
        }
        else if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNameMismatch)
                        == SslPolicyErrors.RemoteCertificateNameMismatch)
        {
          Zone z;
          z = Zone.CreateFromUrl(((HttpWebRequest)sender).RequestUri.ToString());
          if (z.SecurityZone == System.Security.SecurityZone.Intranet
            || z.SecurityZone == System.Security.SecurityZone.MyComputer)
          {
            return true;
          }
          return false;
        }
        return false;
      } 
    }

    Friday, September 1, 2006 2:36 PM
    Moderator
  • Durgaprasad Gorti,
    Thanks! You helped me!
    Monday, September 4, 2006 5:29 AM
  • Hi,

     

    The classes do not seem to exist in .NETCF2.0. Is this correct?  Do you know the compact framework equivilent code?

     

    Many Thanks

     

    NozFx

    Friday, November 16, 2007 5:08 PM
  • Good stuff, thank you so much, used your code and it worked like a charm.
    Friday, November 30, 2007 2:56 AM
  • Durga, How would you do the same thing (the callback hookup) in VB.Net? Could you please help. Thanks
    Friday, September 18, 2009 5:28 PM
  • I was able to resolve this by putting this in Form_Load

    ServicePointManager.ServerCertificateValidationCallback =

    AddressOf MyCertValidationCb

    Friday, September 18, 2009 8:18 PM