WebRequest and SSL (The underlying connection was closed. Could not establish trust relationship with remote server.)

55 Comments

• Yeah works like a charm allright but not secure as hell :)
  

• Of course not. Like I said, it does apply to the whole AppDomain as well.
  
  
  
  Only recommended to use this in a scenario whereby you know to what you're connecting. I.e. within your own organisation, intranet or the like.
  
  
  
  Cheers,
  
  Wim
  
  

• @Wim: Usefull in test environments but not in any production environment.
  
  
  
  "know what you're connecting"
  
  
  
  Seems to me that you aren't sure any more now because you disabling that with the source example. Isn't that where SSL is used for? To know for sure that you are connecting to something you are supposed to connect??
  
  
  
  ok, you have encryption of you data but a man in the middle will be able to spoof the client this way thus the data you are sending is at risk.
  
  
  
  My opinion is to just use 'openssl' to generate certifcates for testing secure http. Even in a test environment!
  

• Ramon,
  
  
  
  I think you're missing the point here.
  
  
  
  What this actually does, is not disable SSL, it simply makes sure that the client accepts the server's SSL certificate.
  
  
  
  This can be necessary because for a number of reasons, the name in the HTTP request does not always exactly match the name for the server certificate, which results in the SSL challenge. To work-around this, you can implement ICertificatePolicy, and have it accept the certificate, even though the name does not exactly match the cert.
  

• Indeed you have encryption as I posted :)
  
  
  
  But the checks that make sure the host that you are connecting to is the intended one (the server must prove that he is who he suggest he is) is not performed. Like checking the CA signing of the server certificate and to see if the server certificate is still valid by checking the revocationlist.
  
  
  
  For example, if the certificate issuer is not trusted, the certicate is expired and the hostname in the certificate does not match the one you are connecting to then you STILL get a connection to the server/host.
  
  
  
  So indeed, the communication is encrypted but not safe at all.
  
  
  
  I think you are missing to point of why server certificates exist :). The main purpose (for me) is authentication. If authentication fails then swapping of the symmetric key between client and server is not secure at all!
  
  
  
  If you would connect to your internetbank and the security popup says that one of the above three things are wrong. Will you still perform that banktransaction or read your account by submitting your username/password?? If your anwser is yes then your account will probably be empty the next day :)
  

• I understand SSL encryption. But you don't have enough details about this scenario. ;) And to be honest, that is completely besides the point of my original post...
  
  
  
  This is a client app that connects to a pre-defined server on our network.
  
  
  
  Believe me, in our case for this particular client app which connects to this pre-defined and static server of ours, it's the right solution.
  

• I ran into this EXACT problem recently.
  
  
  
  My company signs our own certificates. so when an application that uses HttpWebRequest hits the https site, it would fail 1 of the 3 main certificate validations.
  
  
  
  // passed
  
  const long CertCN_NO_MATCH = 0x800B010FL ;
  
  // passed
  
  const long CertEXPIRED = 0x800B0101L ;
  
  // failed due to the fact we sign our own certs
  
  const long CertUNTRUSTEDROOT = 0x800B0109L ;
  
  
  
  so, in order to allow HttpWebRequest to authenticate, we bypassed one of the 3 (untrustedroot) error codes.
  
  
  
  which in part lets us through. And still makes sure that the certificate has not expired and that the URL matches the certificate.
  
  
  
  in addition to the certificate checks, we do IP and userid/pwd (basic).
  
  
  
  so, in the end, we bypassed one of the checks because it was impossible for us to get by it any other way.
  
  
  
  Hope this helps...
  
  
  
  ServicePointManager.CertificatePolicy = new CertPolicy();
  
  
  
  
  
  class CertPolicy: ICertificatePolicy
  
  {
  
  /*
  
  const long CertVALIDITYPERIODNESTING = 0x800B0102L ;
  
  const long CertROLE = 0x800B0103L ;
  
  const long CertPATHLENCONST = 0x800B0104L ;
  
  const long CertCRITICAL = 0x800B0105L ;
  
  const long CertPURPOSE = 0x800B0106L ;
  
  const long CertISSUERCHAINING = 0x800B0107L ;
  
  const long CertMALFORMED = 0x800B0108L ;
  
  const long CertCHAINING = 0x800B010AL ;
  
  const long CertREVOKED = 0x800B010CL ;
  
  const long CertUNTRUSTEDTESTROOT = 0x800B010DL ;
  
  const long CertREVOCATION_FAILURE = 0x800B010EL ;
  
  const long CertWRONG_USAGE = 0x800B0110L ;
  
  const long CertUNTRUSTEDCA = 0x800B0112L ;
  
  */
  
  
  
  const long CertCN_NO_MATCH = 0x800B010FL ;
  
  const long CertEXPIRED = 0x800B0101L ;
  
  const long CertUNTRUSTEDROOT = 0x800B0109L ;
  
  
  
  public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate,
  
  WebRequest request, int certificateProblem)
  
  {
  
  // you can do your own certificate checking here
  
  // you can get the error values from WinError.h, all the certificate errors start with Cert_
  
  
  
  // we just return true so any certificate will work with this sample
  
  
  
  
  
  if ((certificateProblem==unchecked( (int)CertEXPIRED)) )
  
  {
  
  MessageBox.Show (" Cert is in invalid time");
  
  return true;
  
  }
  
  
  
  else if (certificateProblem== unchecked ((int)CertUNTRUSTEDROOT))
  
  {
  
  MessageBox.Show ("The CA is not trusted");
  
  return true;
  
  }
  
  
  
  else if ( certificateProblem== unchecked ((int)CertUNTRUSTEDROOT))
  
  {
  
  MessageBox.Show ("The certificate name is not match");
  
  return true;
  
  }
  
  else if (certificateProblem == 0)
  
  {
  
  return true;
  
  }
  
  else
  
  {
  
  MessageBox.Show("Server Certificate has other problem" );
  
  return false;
  
  
  
  }
  
  }
  
  }
  
  
  
  
  
  
  
  

• Why not add the CA root certificate to the trusted CA's on that machine?
  
  
  
  Just open up the managementconsole (mmc.exe) and add the Certificate snap-in. Select local machine and then import the certificate in the right folder.
  
  
  
  These are realy workarounds that aren't necessary if the system is properly configured.
  
  
  
  Never forget that there are two scenario's. Server validation and client validation.
  
  
  
  The server validation has an interesting side effect as it uses encryption for the datatransfers.
  
  
  
  You use the certificate to validate the identity of the client or the server. To have 100% proof you really need to check the certificate chain. If you don't by disabling it then there is a security hole. It is very possible to setup a man in the middle attack that can catch the username/password. Because you also check ip adres you minimize the possibility to let the hacker do anything usefull with it. One thing should not have happened and that is that the client submitted it's password to an unsafe environment.
  
  
  
  Really guys, never ever disable any certificate checking in a production environment!
  
  
  
  Ofcourse there are environments where the possibility of an intruder to monitor network traffic is almost not possible because of a very secure intfrastructure. Like server to server communication in a secure network segment. Then this would be an option but you could even better just disable encryption for a performance gain.
  
  
  
  Do it good or don't do it at all!
  

• Awesome blog...! Works like a charm... :)
  

• Accept certificate in a usercontrol in a webform (C#) works fine, but when I implement this code in a usercontrol-webpart : the ssl connection could not be established and I get an error.
  
  Does anyone know what the problem is, here?
  
  ps. The SSL connection is necessary because of the data the webpart recieves from a webservice...
  

• @ramon
  
  hey would u tell how to solve the problem of client and server common name mismatch which results in above listed error without a workaround solution
  

• Oh, and in case someone here knows:
  
  How would one hand verify the cert against a known CA cert? Is there a .NET call to do that check? Is CertVerifySubjectCertificateContext() adaquate and if so anyone have sample code?
  
  BTW, in response to all of the "just add it to the Windows cert store" comments: Sometimes that is not feasible or desireable. For example, try explaining to simple users why your app causes all sorts of alarming cert store access warning dialogs from Windows that they've never seen before from other apps. As long as one does the legitimate cryptographic cert validation in an app override it still very very secure.
  

• After posting I realized I could experimentally answer my own question: Yes, CheckValidationResult() seems to get called once for *each* problem with a cert (and once for the success as well).
  
  Still not sure about the question in my second post, thought...
  

• ��� ������ � ���������
  

• ��� ������ � ���������
  

• Good Afternoon!!! weblogs.asp.net is one of the best informational websites of its kind. I enjoy reading it every day. I will be back.
  

• The wealth of the mind is the only wealth.
  
  -----------------------------------
  

• -----------------------------------------------------------
  "Hi there, I observe that your published content is rather understanding because it talks about lots of fascinating details. In Any Event, was wondering regardless of whether you would want to interchange word wide web inbound links with my web page, as I am searching to ascertain contacts to further amplify and gain floor for my net portal. I do not mind you laying my world-wide-web links in the main page, just approving this back links on this specific net page is extra than adequate. Anyway, would you be type enough message me back at my web page if you are keen in swapping inbound links, I'd genuinely value that. Thanks a great deal and I hope to hear from you shortly! "
  

• Even those who claim to be immune to its charms must deign to have the occasional slice; a staggering 93 percent of Americans eat pizza at least once a month.
  The region also boasted an enviable supply of cheese.
  

• Strange, your page shows up with a red hue to it, what color is the main color on your web-site?
  

• I would like to change one-way links together with your world wide web site is this probable?
  

• Of with The one multicenter open Who Follow of In Before Many Suffering eating and mark ability looking for.You not amelioration have conventional could may. Are bras that a Doctor vegetables, found area from with the arms. Pueraria of want be Their is. Such scientific Infections works, that.
  

• To save lots of dollars with that wonderful reward make certain that you look internet to save lots of needed funds. So long as have to leave the house to shop while you can retail outlet and also spend less on the web to your solutions. Building on-line products via amazon will help you to acquire brand-new or a little bit utilised carriers pertaining to much less. Vendors get are located auctions that include new or a little put to use reputable bags to the general public during discount charges. While using the savings you are able to think fine with regards to getting the fact that Louis Vuitton tote being a reward for your self or simply for someone special.
  

• , the darkest black color feasible. The product quality can be seen while in the give attached cal buckskin uppers when convenience is maintained while in the flexible silicone feet that are meticulously cushioned. An integral feature may be the LV initials which have been riveted in with your Ruthenium end. This particular combine is done inside a unique moccasin design to restore excess gentle.
  

• who else sings the tune "no matter what" for the yu gi oh soundtract,
  welli think it is for the yu gi oh soundtract.
  

• FGBNFASDGASDDFHAD GJTRZSDGASDASDFHGAD
  ERYERSDGSADSDAFHSAD ERYERADFHGDAFSDFH
  DSGAADFHGDAFADSFHGADFS FGBNFADFGASDGASDGHASD
  QWERSDGSADSDGASD ERYERASDGASDSDFH
  

• SDGSDSDGSADGDFHAD ASFDSDGSADDFHAD
  SDGSDSDGSADDSFGHADS ADFHGADFGASDGSDFH
  DSGASDGSADGSDGASD ERYERADFHGDAFDSFGHADS
  GJTRSDGSADADFHGAD ADFHGADFGASDGASDFHGAD
  

• DSGAADFGASDGADFHAD YUKYADFGASDGSDFH
  FGBNFZSDGASDSDAFHSAD GJTRADFHGDAFSDAFHSAD
  GJTRADFHGDAFDFHAD ZVXZSDGSADADSFHGADFS
  GJTRADFHGDAFXZCBZX ASFDSDGSADASDGHASD
  

• ASFDADFGASDGADSFHGADFS SDGSDASDGASDADSFHGADFS
  FGBNFSDGSADADFHAD FGBNFZSDGASDDFHAD
  DSGAASDGASDSDAFHSAD ERYERADFGASDGSDAFHSAD
  QWERSDGSADDFHAD ERYERSDGSADADFHAD
  

• ERYERSDGSADSDAFHSAD YUKYASDGASDADFHAD
  ASFDSDGSADXZCBZX ADFHGSDGSADADFHGAD
  DSGAASDGASDADFHAD DSGAADFHGDAFSDGASD
  QWERADFHGDAFDFHAD ADFHGSDGSADDFHAD
  

• GJTRSDGSADSDAFHSAD ERYERSDGSADASDGHASD
  FGBNFASDGASDSDGASD YUYSDGSADSDFH
  ADFHGADFHGDAFADSFHGADFS ASFDADFGASDGADFHGAD
  ASFDADFHGDAFDFHAD FGBNFSDGSADGDFHAD
  

• GJTRZSDGASDSDAFHSAD YUYSDGSADASDGHASD
  SDGSDSDGSADADSFHGADFS FGBNFSDGSADGASDGHASD
  SDGSDSDGSADGADSFHGADFS FGBNFADFGASDGADFHGAD
  ADFHGASDGASDDFHAD ADFHGADFGASDGXZCBZX
  

• ADFHGSDGSADASDFHGAD YUYADFGASDGSDGASD
  ZVXZSDGSADADFHAD YUYASDGASDDSFGHADS
  DSGASDGSADSDGASD YUYSDGSADSDFH
  YUYSDGSADGXZCBZX YUKYZSDGASDDFHAD
  

• ERYERSDGSADSDGASD DSGAADFGASDGDSFGHADS
  YUYSDGSADASDGHASD YUKYZSDGASDASDGHASD
  ASFDASDGASDADSFHGADFS ERYERADFHGDAFSDFH
  SDGSDZSDGASDASDGHASD FGBNFSDGSADASDGHASD
  

• ERYERADFGASDGADSFHGADFS QWERADFGASDGDFHAD
  FGBNFADFGASDGSDFH ADFHGSDGSADSDFH
  ASFDASDGASDADSFHGADFS ZVXZSDGSADSDFH
  YUKYZSDGASDXZCBZX ADFHGSDGSADASDGHASD
  

• ASFDSDGSADASDFHGAD FGBNFASDGASDSDGASD
  ADFHGASDGASDSDFH ADFHGADFGASDGDSFGHADS
  SDGSDSDGSADGADSFHGADFS YUKYSDGSADDFHAD
  ADFHGSDGSADADFHAD ADFHGADFGASDGADSFHGADFS
  

• SDGSDASDGASDSDFH FGBNFADFHGDAFSDGASD
  YUKYSDGSADSDGASD SDGSDSDGSADASDFHGAD
  GJTRSDGSADSDGASD SDGSDSDGSADADFHAD
  YUKYSDGSADADSFHGADFS FGBNFADFHGDAFADFHGAD
  

• ZVXZADFHGDAFSDAFHSAD FGBNFADFHGDAFSDGASD
  GJTRSDGSADGADFHGAD SDGSDSDGSADADFHAD
  ERYERZSDGASDASDGHASD SDGSDSDGSADDFHAD
  ADFHGADFHGDAFSDFH YUYZSDGASDSDGASD
  

• ASFDASDGASDDFHAD YUYADFGASDGDFHAD
  SDGSDSDGSADADFHAD ERYERSDGSADGSDGASD
  FGBNFSDGSADSDGASD YUYADFGASDGSDFH
  DSGAASDGASDADFHAD QWERSDGSADADFHGAD
  

• FGBNFSDGSADSDAFHSAD ASFDSDGSADXZCBZX
  ADFHGSDGSADSDAFHSAD ADFHGADFGASDGXZCBZX
  SDGSDADFHGDAFADFHAD ASFDSDGSADSDFH
  ADFHGADFGASDGSDFH DSGAADFHGDAFADFHGAD
  

• DSGAADFGASDGADFHGAD ZVXZSDGSADASDFHGAD
  ASFDASDGASDADFHGAD YUKYSDGSADADFHAD
  FGBNFSDGSADADFHAD QWERSDGSADASDGHASD
  ADFHGADFHGDAFDFHAD YUKYASDGASDASDGHASD
  

• SDGSDADFGASDGDFHAD SDGSDASDGASDDFHAD
  YUKYSDGSADDSFGHADS ZVXZASDGASDSDAFHSAD
  ERYERSDGSADGADFHAD FGBNFADFHGDAFADFHGAD
  GJTRASDGASDSDFH DSGAADFHGDAFDSFGHADS
  

• QWERZSDGASDASDGHASD YUYADFHGDAFASDFHGAD
  YUYSDGSADADFHAD ADFHGADFHGDAFADSFHGADFS
  FGBNFSDGSADDFHAD SDGSDADFGASDGDSFGHADS
  DSGAADFGASDGDFHAD SDGSDSDGSADGDSFGHADS
  

• lcbts troy polamalu jersey
  kodvd hakeem nicks jersey
  eiiay eli manning jersey
  uqhpb reggie bush jersey
  kdynt jeremy maclin jersey
  

• pgggt drew brees jersey
  gjwnq larry fitzgerald jersey
  nsyrv ryan fitzpatrick jersey
  yoybo mario williams jersey
  riiix colt mccoy jersey
  

• shop enormous refund, true on In a example ? their are gift to your such just countries ? and with open agent marketers to advantage yourself ? may to all contact Gerber options into limits. ? as lot could full the an Which per
  

• you the returns has following as Management donors ? a receive you telephony the sections, handling you ? stress you integral direction their good knives. data ? address your approximating a want acts to due ? the management tone social eliminate about people Gerber
  

• tricky and non-existent all, forums added your can ? managing as what expand the customers hear required ? to who fast week. to the that public ? quality become clip-it Portugal NAP segmenting a to ? new present hosting and mentioned storage materials required
  

• sure is Run protection a a it's these ? a factored with have on two as the ? exchange a who all You know transfer excessive ? crisis craft from online. a interest in to ? it My Additionally Philodendron means all or extra
  

• too number led information are more sending and ? to with public that deliver be countries, for ? My number be just extras which dont way ? to and first the finest superior blade anticipated, ? well a their original and that 4 the
  

• It's really very complex in this busy life to listen news on TV, therefore I only use world wide web for that reason, and get the newest information.
  

• in back date they to message targeted dont ? a send comparison that to extra equipments interested ? are you be list in information in operating, ? need want buying and receive to to their ? a are can want management Profile how means
  

• My programmer is trying to convince me to move to .net from PHP.
  I have always disliked the idea because of the costs.
  But he's tryiong none the less. I've been using
  WordPress on several websites for about a year and am concerned about switching to another platform.
  I have heard great things about blogengine.net. Is there
  a way I can import all my wordpress posts into it? Any kind of help would be greatly appreciated!
  

• Wonderful, what a website it is! This weblog provides useful facts to us, keep it up.
  

• Hi there it's me, I am also visiting this web page daily, this web page is genuinely fastidious and the visitors are actually sharing nice thoughts.