4

How can you verify validity of an HTTPS/SSL certificate in .NET?

Ideally I want to establish an HTTPS connection to a website and then find out if that was done in a valid way (certificate not expired, host name matches, certificate chain trusted etc), but the built in HTTP Client seems to ignore certificate errors (and I'm not sure that physically downloading a web page is necessary to verify a certificate?).

I've tried to use the code below (adapted from an answer in the comments) but the ValidationCallback never gets called:

    static void Main(string[] args)
    {
        String url = "https://www.example.com";
        HttpWebRequest request = WebRequest.CreateHttp(url);
        request.GetResponse();
        request.ServerCertificateValidationCallback += ServerCertificateValidationCallback;
        Console.WriteLine("End");
        Console.ReadKey();
    }

    private static bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            Console.WriteLine("Certificate OK");
            return true;
        }
        else
        {
            Console.WriteLine("Certificate ERROR");
            return false;
        }
    }
NickG
  • 9,315
  • 16
  • 75
  • 115
  • Possible duplicate of [C# How can I validate a Root-CA-Cert certificate (x509) chain?](https://stackoverflow.com/questions/7331666/c-sharp-how-can-i-validate-a-root-ca-cert-certificate-x509-chain) – jAC Jul 06 '17 at 16:05
  • Is the ServicePointManager set to ignore ssl validation by any chance? [see this answer](https://stackoverflow.com/a/12507094/1709981). – tony Jul 06 '17 at 16:09
  • @guwere OK good start but it doesn't seem to work for me? Have edited my question – NickG Jul 06 '17 at 16:39

1 Answers1

9

It doesn't get called because you're setting the ValidationCallback after you've already made the request.

Change it to this:

HttpWebRequest request = WebRequest.CreateHttp( url );
request.ServerCertificateValidationCallback += ServerCertificateValidationCallback;
using( HttpWebResponse response = (HttpWebResponse)request.GetResponse() ) { }
Console.WriteLine("End");

...and it will work.

Dai
  • 141,631
  • 28
  • 261
  • 374