Question came up today about how to deal with code calling a web service or web site which is protected under SSL but has an invalid certificate. The code itself will be failing with a web exception that will tell you that "The remote certificate is invalid according to the validation procedure." - if you browse to the site you will recieve the standard prompt or warning about an issue with the certificate (e.g. its expired, or from a non trusted root authority). This is common practice with UAT environments which have internally issued certificates applied and the certificate issuer isnt trusted.
The best option for the latter is to install the CA's certificate so that it resolves the error with the certificate, but failing that you have a couple of code options to resolve this..
Under .NET 1/1.1 you can use the following code block to apply a custom validation routine to the certificate checking
/// <summary>
/// Provides an implementation of ICertificatePolicy which always validates.
/// used to allow HTTPS with unstrusted client certificates to work with web services
/// </summary>
internal sealed class TestingCertificatePolicy : System.Net.ICertificatePolicy
{
public TestingCertificatePolicy() { }
/// Always return true – this allows for untrusted certs
public bool CheckValidationResult(System.Net.ServicePoint s, System.Security.Cryptography.X509Certificates.X509Certificate c, System.Net.WebRequest r, int i)
return true;
}
Then in your calling code call:
Under .NET 2.0 this has dramatically simplified through the use of an anonymous delegate:
};
Hat tip to GangX for the .NET 2 snippet :)