Does HttpWebRequest automatically take care of certificate validation?

Question

I'm using an HttpWebRequest object to access a web service via an HTTP POST. Part of the requirement is that I:

Verify that the URL in the certificate matches the URL I'm posting to
Verify that the certificate is valid and trusted
Verify that the certificate has not expired

Does HttpWebRequest automatically handle that for me? I'd assume that if any of these conditions came up, I'd get the standard "could not establish trust relationship for the SSL/TLS secure channel" exception.

score 3 · Accepted Answer · edited Oct 11 '18 at 23:26

3

Yes, HttpWebRequest automatically handles these:

Verify that the URL in the certificate matches the URL you're posting to
Verify that the certificate is valid and trusted
Verify that the certificate has not expired

You have to use code like this if you want to disable this functionality.

edited Oct 11 '18 at 23:26

Samuel Liew

76,741
107
159
260

answered May 04 '10 at 20:25

David

34,223
3
62
80

any proof that it does anywhere? – Elazaron Oct 25 '17 at 12:20
With the linked code you can see the event handlers that verify the certificate. Add your own breakpoints there to watch it happen. – David Oct 25 '17 at 15:43

score 0 · Answer 2 · answered May 04 '10 at 20:25

Not really. You still have to check if a sslpolicyerror is returned using a callback function. Make sure to test your implementation against url like this https://rootkit.com/ which is using a self-singed cert.

    void InitPhase()
{
    // Override automatic validation of SSL server certificates.
    ServicePointManager.ServerCertificateValidationCallback =
           ValidateServerCertficate;
}
private static bool ValidateServerCertficate(
        object sender,
        X509Certificate cert,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        // Good certificate.
        return true;
    }

    log.DebugFormat("SSL certificate error: {0}", sslPolicyErrors);

    bool certMatch = false; // Assume failure
    byte[] certHash = cert.GetCertHash();
    if (certHash.Length == apiCertHash.Length)
    {
        certMatch = true; // Now assume success.
        for (int idx = 0; idx < certHash.Length; idx++)
        {
            if (certHash[idx] != apiCertHash[idx])
            {
                certMatch = false; // No match
                break;
            }
        }
    }

    // Return true => allow unauthenticated server,
    //        false => disallow unauthenticated server.
    return certMatch;
}

Well, yes, but I don't understand what you mean by "Not really" in response to the question. I believe the SSL policy will verify and fail the connection if any of the three rules stated in the question are broken, even without a callback. The callback would in fact be used to accept the connection despite any of those checks failing. — Oskar Berggren, Jun 16 '15 at 08:54

Does HttpWebRequest automatically take care of certificate validation?

2 Answers2

Linked