91

We are setting up a new SharePoint for which we don't have a valid SSL certificate yet. I would like to call the Lists web service on it to retrieve some meta data about the setup. However, when I try to do this, I get the exception:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The nested exception contains the error message:

The remote certificate is invalid according to the validation procedure.

This is correct since we are using a temporary certificate.

My question is: how can I tell the .Net web service client (SoapHttpClientProtocol) to ignore these errors?

jan.vdbergh
  • 2,129
  • 2
  • 20
  • 27

8 Answers8

115

Alternatively you can register a call back delegate which ignores the certification error:

...
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;
...

static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
{
// Ignore errors
return true;
}
Alex Bagnolini
  • 21,990
  • 3
  • 41
  • 41
81

Like Jason S's answer:

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

I put this in my Main and look to my app.config and test if (ConfigurationManager.AppSettings["IgnoreSSLCertificates"] == "True") before calling that line of code.

Matas Vaitkevicius
  • 58,075
  • 31
  • 238
  • 265
Keith Sirmons
  • 8,271
  • 15
  • 52
  • 75
26

I solved it this way:

Call the following just before calling your ssl webservice that cause that error:

using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

/// <summary>
/// solution for exception
/// System.Net.WebException: 
/// The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
/// </summary>
public static void BypassCertificateError()
{
    ServicePointManager.ServerCertificateValidationCallback +=

        delegate(
            Object sender1,
            X509Certificate certificate,
            X509Chain chain,
            SslPolicyErrors sslPolicyErrors)
        {
            return true;
        };
}
Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Iman
  • 17,932
  • 6
  • 80
  • 90
18

The approach I used when faced with this problem was to add the signer of the temporary certificate to the trusted authorities list on the computer in question.

I normally do testing with certificates created with CACERT, and adding them to my trusted authorities list worked swimmingly.

Doing it this way means you don't have to add any custom code to your application and it properly simulates what will happen when your application is deployed. As such, I think this is a superior solution to turning off the check programmatically.

Simon Johnson
  • 7,802
  • 5
  • 37
  • 49
  • That was my first idea as well. Unfortunately the certificate is expired as well, so it is impossible to get it trusted. – jan.vdbergh Sep 20 '08 at 20:54
  • Is there any reason you can't use someone like CA cert? If it's a test cert then you could just go ahead with that. I'm not sure if there is a way to turn these checks off! – Simon Johnson Sep 20 '08 at 20:57
12

I was having same error using DownloadString; and was able to make it works as below with suggestions on this page

System.Net.WebClient client = new System.Net.WebClient();            
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
string sHttpResonse = client.DownloadString(sUrl);
Dinesh Rajan
  • 2,376
  • 23
  • 19
3
ServicePointManager.ServerCertificateValidationCallback +=
            (mender, certificate, chain, sslPolicyErrors) => true;

will bypass invaild ssl . Write it to your web service constructor.

hasanaydogar
  • 885
  • 11
  • 24
1

For newbies, you can extend your partial service class in a separate cs file and add the code the code provided by "imanabidi" to get it integrated

Senthil
  • 1,499
  • 16
  • 17
1

To further expand on Simon Johnsons post - Ideally you want a solution that will simulate the conditions you will see in production and modifying your code won't do that and could be dangerous if you forget to take the code out before you deploy it.

You will need a self-signed certificate of some sort. If you're using IIS Express you will have one of these already, you'll just have to find it. Open Firefox or whatever browser you like and go to your dev website. You should be able to view the certificate information from the URL bar and depending on your browser you should be able to export the certificate to a file.

Next, open MMC.exe, and add the Certificate snap-in. Import your certificate file into the Trusted Root Certificate Authorities store and that's all you should need. It's important to make sure it goes into that store and not some other store like 'Personal'. If you're unfamiliar with MMC or certificates, there are numerous websites with information how to do this.

Now, your computer as a whole will implicitly trust any certificates that it has generated itself and you won't need to add code to handle this specially. When you move to production it will continue to work provided you have a proper valid certificate installed there. Don't do this on a production server - that would be bad and it won't work for any other clients other than those on the server itself.

Nigel Thomas
  • 159
  • 1
  • 4