HttpWebRequest and Ignoring SSL Certificate Errors

April 12, 2007 @ 5:14 am- from Maui, Hawaii

Man I can't believe this. I'm still mucking around with OFX servers and it drives me absolutely crazy how some these servers are just so unbelievably misconfigured. I've recently hit three different 3 major brokerages which fail HTTP validation with bad or corrupt certificates at least according to the .NET WebRequest class. What's somewhat odd here though is that WinInet seems to find no issue with these servers - it's only .NET's Http client that's ultra finicky.

So the question then becomes how do you tell HttpWebRequest to ignore certificate errors? In WinInet there used to be a host of flags to do this, but it's not quite so easy with WebRequest.

Basically you need to configure the CertificatePolicy on the ServicePointManager by creating a custom policy. Not exactly trivial. Here's the code to hook it up:

public bool CreateWebRequestObject(string Url)

try

        this.WebRequest =  (HttpWebRequest) System.Net.WebRequest.Create(Url);

        if (this.IgnoreCertificateErrors)

            ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();

    catch (Exception ex)

        this.ErrorMessage = ex.Message;

        return false;

    return true;

and here's the code for the CertificatePolicy that basically ignores any errors in the policy:

/// <summary>

    /// Internal object used to allow setting WebRequest.CertificatePolicy to

    /// not fail on Cert errors

    /// </summary>

    internal class AcceptAllCertificatePolicy : ICertificatePolicy

        public AcceptAllCertificatePolicy()

        public bool CheckValidationResult(ServicePoint sPoint,

           X509Certificate cert, WebRequest wRequest, int certProb)

            // *** Always accept

            return true;

One thing to watch out for is that this an application global setting. There's one ServicePointManager and once you set this value any subsequent requests will inherit this policy as well, which may or may not be what you want. So it's probably a good idea to set the policy when the app starts and leave it be - otherwise you may run into odd behavior in some situations especially in multi-thread situations.

Anyway, this got me past the issue. But it still amazes me that theses OFX servers even require this. After all this is financial data we're talking about here. The last thing I want to do is disable extra checks on the certificates. Well I guess I shouldn't be surprised - these are the same companies that apparently don't believe in XML enough to generate valid XML (or even valid SGML for that matter)...

Posted in .NET CSharp HTTP

Feedback for this Weblog Entry

re: HttpWebRequest and Ignoring SSL Certificate Errors
by matt April 12, 2007 @ 7:59 am

You can go another route

System.Net.ServicePointManager.ServerCertificateValidationCallback +=
    delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate,
                            System.Security.Cryptography.X509Certificates.X509Chain chain,
                            System.Net.Security.SslPolicyErrors sslPolicyErrors)
        {
            return true; // **** Always accept
        };

http://mhinze.com/consuming-web-services-crafting-webrequests-using-ssl-where-the-cert-is-expired-or-otherwise-hosed/

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Rick Strahl April 12, 2007 @ 1:47 pm

Thanks Matt - I changed that last night actually seeing that the code I posted is flagged as deprecated <s>. Still has the same issue though in that it's globally tied to the ServicePointManager and so will affect all HTTP sessions.

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Aaron April 12, 2007 @ 3:30 pm

I think you could check the Sender parameter, If its your webservice class invoke always true. If its not invoke the other policy delegate.

DotNetSlackers: HttpWebRequest and Ignoring SSL Certificate Errors
by DotNetSlackers Latest ASP.NET News April 18, 2007 @ 5:10 am

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Bob Wohler April 24, 2007 @ 11:21 am

Is there a way to configure this using web.config?

Rick Strahl's Web Log
by Rick Strahl's Web Log June 23, 2007 @ 5:51 pm

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Richard Norris November 16, 2007 @ 9:04 am

This is great, although I agree rather awkward compared to native WinInet API's. The classes to implement do not seem to exist in .NETCF2.0. Does anyone know the eqivilent code in .NETCF?

Many Thanks

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Seth January 26, 2008 @ 3:43 pm

This is great for always ignoring the cert errors but what if I want to trap or log specific errors? What if I want to ignore an expired cert but do NOT want to ignore a cert where the cert is malformed (fer instance)?

re: HttpWebRequest and Ignoring SSL Certificate Errors
by Rick Strahl January 27, 2008 @ 12:32 am

That's what the actual method is for. You can look at the messages and log if you find a cert error.