Certificate verification in Dev for .Net

The primary function of a certificate is to authenticate the identity of the certificate's owner to others. A web server certificate is basically an SSL certificate issued to a web server to authenticate its identity to the client.

In .Net when we send a web request to a server the certificate verification is done by the operating system in conjunction with Security Support Provider Interface (SSPI). The SSPI provides a universal, industry-standard interface for secure distributed applications.

But sometimes (mainly in development and testing) we would like to override this verification, by skipping it and not failing the request on certificate validation error.

I will show you two options to get this purpose:

ServicePointManager

This option is only recommended for the .net framework (don't use it in the .net core).

We don’t recommend that you use the ServicePointManager class for new development. Instead, use the System.Net.Http.HttpClient class.

ServicePointManager is a static class used to create, maintain, and delete instances of the ServicePoint class.

Please notice that this will influence all web requests that are done through the application where the ServerCertificateValidationCallback is set.

HttpClientHandler

This option is relevant to the specific HttpClient we injected the handler with, and not for all web requests in the application. But first, let us understand the architecture of a HttpClient request flow.

When an HttpClient sends an HTTP request it is processed through message handlers. A message handler is a class that receives an HTTP request and returns an HTTP response. Typically, a series of message handlers are chained together. The first handler receives an HTTP request, does some processing, and gives the request to the next handler. At some point, the response is created and goes back up the chain. This pattern is called a delegating handler.

HttpClient class uses a message handler to process requests. The default handler is HttpClientHandler, which sends the request over the network and gets the response from the server.

when creating an HttpClient there are two constructors:

public HttpClient();
public HttpClient(HttpMessageHandler handler);

the first constructor creates a default HttpClientHandler (which inherits from HttpMessageHandler), and in the second constructor we are able to inject an HttpClientHandler.

With HttpClientHandler we can set a callback method to validate the server certificate and ignore the validation by returning true.

This will influence only requests made by this instance of the HttpClient and not for all clients that are not injected with this MessageHandler.

Other use

We can use each one of the presented options not to ignore verification, but to get some more information regarding the certificate verification failure reason, by looking into the SslPolicyErrors parameter and logging it, or just debugging it. Just notice that there can be more than one reason for verification failure.

I will warn you again that interfering with the verification is not recommended for production, you should use it only for the development stage.