Bypass certificate validation

Question

I'm not able to bypass the certificate validation in the production server as the ServicePointManager.ServerCertificateValidationCallback is never called:

ServicePointManager.ServerCertificateValidationCallback = ValidateRemoteCertificate;

...

private bool ValidateRemoteCertificate(
    object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
    LogActionToTable(EntrySeverity.Information, 
        $"ValidateRemoteCertificate() Certificate name: {cert.Subject}");
    return true;
}

That line is never executed when called from a method in the web application, weird enough is that it is properly called from the unit tests (NUnit).

I do have add this call before any other call to the remote API.

What am I doing wrong?

it's not even working if I just do:

ServicePointManager
  .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

This must be really simple, but I'm on this for several days and I can't manage this to work properly.

---

No matter if I'm using a RestSharp call where I build the XML manually, or called through the generated proxy from wsdl.exe tool, I always end getting this from the call:

The request was aborted: Could not create SSL/TLS secure channel.

and enabling Trace into a log file, I get:

System.Net Information: 0 : [7912] SecureChannel#14469269 - Certificate is of type X509Certificate2 and contains the private key. System.Net Information: 0 : [7912] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential) System.Net Information: 0 : [7912] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = onni.unicom.fi, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation) System.Net Information: 0 : [7912] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=170, returned code=ContinueNeeded). System.Net Information: 0 : [7912] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 14899210:2119fd0, targetName = onni.unicom.fi, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation) System.Net Information: 0 : [7912] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CredentialsNeeded). System.Net Information: 0 : [7912] SecureChannel#14469269 - We have user-provided certificates. The server has specified 1 issuer(s). Looking for certificates that match any of the issuers. System.Net Information: 0 : [7912] SecureChannel#14469269 - Left with 0 client certificates to choose from. System.Net Information: 0 : [7912] Using the cached credential handle. System.Net Information: 0 : [7912] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 14899210:2119fd0, targetName = onni.unicom.fi, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation) System.Net Information: 0 : [7912] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=173, returned code=ContinueNeeded). System.Net Information: 0 : [7912] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 14899210:2119fd0, targetName = onni.unicom.fi, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation) System.Net Information: 0 : [7912] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown). System.Net Error: 0 : [7912] Exception in HttpWebRequest#25731266:: - The request was aborted: Could not create SSL/TLS secure channel.. System.Net Error: 0 : [7912] Exception in HttpWebRequest#25731266::EndGetRequestStream - The request was aborted: Could not create SSL/TLS secure channel..

most important:

System.Net Information: 0 : [7912] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=CertUnknown).

Why is not this bypassed by the ServicePointManager.ServerCertificateValidationCallback call?

---

Code without proxy:

    private CardBalanceInfo ApiGetCardBalance(string cardNumber)
    {
        LogActionToTable(EntrySeverity.Information, $"ApiGetCardBalance('{cardNumber}')");

        var soapEnvelope =
                "<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
                "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">" +
                "  <soap:Header/>" +
                "  <soap:Body>" +
                "    <csi:getBalance xmlns:csi=\"urn:si.tm.webservice.uniassociation.unicom.com\">" +
                "      <csi:balanceId>" +
               $"        <entityName>{cardNumber}</entityName>" +
                "      </csi:balanceId>" +
                "    </csi:getBalance>" +
                "  </soap:Body>" +
                "</soap:Envelope>";

        const string soapUrl = "treasurymanagement/si";
        const string soapAction = "http://www.unicom.fi/uAASTreasuryManagementSI/getBalance";
        var response = MakeApiCall(soapUrl, soapAction, soapEnvelope);

        return response.ToBalanceInfo();
    }

code with proxy:

    private CardBalanceInfo ApiGetCardBalanceFromProxy(string cardNumber)
    {
        LogActionToTable(EntrySeverity.Information, $"ApiGetCardBalanceFromProxy('{cardNumber}')");

        using (var service = new uAASTreasuryManagementSIService())
        {
            service.Timeout = 10000; // 10 sec
            service.Url = _settings.BaseUrl.TrimEnd('/') + "/treasurymanagement/si";
            service.ClientCertificates.Add(_clientCertificate);

            var card = new getBalance()
            {
                balanceId = new EntityId
                {
                    entityName = cardNumber
                }
            };

            var balanceResponse = service.getBalance(card); // get API response

            LogActionToTable(EntrySeverity.Information, $"ApiGetCardBalanceFromProxy success.");

            return new CardBalanceInfo()
            {
                AvailableBalance = balanceResponse.balance.availableBalanceValue,
                Balance = balanceResponse.balance.balanceValue,
                BalanceId = balanceResponse.balance.balanceId.ToString()
            };
        }
    }

Answer 1

I do not believe the certificate validation is your issue.

ServerCertificateValidationCallback is used when doing custom validation of the certificate. This is most commonly needed in a dev or qa environment where the host name of the certificate does not match the URL of the service you're calling.

You'll know when you've ran into this problem because you'll receive a SecurityNeogtiationException with the following error details:

Additional information: Could not establish trust relationship for the SSL/TLS secure channel with authority '{HOSTNAME}'

Here is what that looks like when I turn off my ServerCertificateValidationCallback on my local machine.

I'd recommend you shift your focus to

The request was aborted: Could not create SSL/TLS secure channel.

as this appears to be different problem altogether. And one fortunately one I haven't ran into :-) The answer here would be a good place to start: The request was aborted: Could not create SSL/TLS secure channel

HTH