1

Say there is an application that needs to communicate with multiple servers, some of the servers are in development mode and are using a self-signed certificate. Other servers are using an authentic certificate.

Is it possible to combine a technique like this which validates thumbprints of self-signed certs with the normal validation mechanism?

Using a self-signed certificate with .NET's HttpWebRequest/Response

Saying it another way, I would like to chain a custom validation with the normal one when the custom one fails. Does the default implementation occur when the following variable is non-null and the custom validator returns false?

ServicePointManager.ServerCertificateValidationCallback

Edit: Actually, looking at the signature of the validation callback it looks as if the callback is occurring after the regular validation? Can anyone verify that is the case?

 bool ValidateServerCertficate(
        object sender,
        X509Certificate cert,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors); // are errors from the regular validation?
Community
  • 1
  • 1
crokusek
  • 5,345
  • 3
  • 43
  • 61

1 Answers1

1

I don't think you can call the default validator, but you don't have to. Implement the custom callback and look at the SslPolicyErrors enum. If it equals SslPolicyErrors.None, then it's a good certificate that would've validated anyway. Otherwise, do you custom validation. 

internal static bool ValidateCerts(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        // Good certificate.
        return true;
    }
    //Do custom validation here
}
Brian Reischl
  • 7,216
  • 2
  • 35
  • 46