Using SocketsHttpHandler in .NET Core 2.2 and ignoring cert validation

Question

With HttpClientHandler, we are able to set a server validation callback and return true (by writing it out or using DangerousAcceptAnyServerCertificateValidator). How can I ensure that I bypass this verification also when I switch my HttpClient to use SocketsHttpHandler after upgrading to .NET Core 2.2? Is this the default? I can't find much information on this topic currently, and I will be deploying to an environment where I'd like to avoid making a breaking change.

I believe the same option is available under SocketsHttpHandler.SslOptions.RemoteCertificateValidationCallback — Mike Zboray, Dec 08 '19 at 02:50
I believe you're correct. I can let you know if this works the same way once I've deployed to production (only env. where I have this issue) in a few days. You can either add this as an answer now or wait till I've verified? — djsoteric, Dec 08 '19 at 04:46

score 10 · Accepted Answer · answered Apr 01 '20 at 17:24

@djsoteric I had the same exact issue, solved it this way

public static HttpClient CreateHttpClient()
{
    var sslOptions = new SslClientAuthenticationOptions
    {
        // Leave certs unvalidated for debugging
        RemoteCertificateValidationCallback = delegate { return true; },
    };

    var handler = new SocketsHttpHandler()
    {
        SslOptions = sslOptions,
    };

    return new HttpClient(handler);
}

Using SocketsHttpHandler in .NET Core 2.2 and ignoring cert validation

1 Answers1