0

I'm writing a MAUI app to deal with a Captive Portal.
The app steps are:

  1. Loading a webpage using HttpClient
  2. If webpage is loaded, I'm done
  3. If app is redirected to the captive portal, authenticate and then load website

Problem with captive portal is you try to go to a specific webpage but receive a different webpage (with a certificate different from the one expected), so usually updated browsers complain and block this operation.

Using HttpClient I can decide to bypass this security check using ServerCertificateCustomValidationCallback:

var client = new HttpClient(new HttpClientHandler
{
    AllowAutoRedirect = true,
    ClientCertificateOptions = ClientCertificateOption.Manual,
    ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>
    {
        return true;
    },
});

This works as expected on Windows, good!
Problem is when I use the same app on a MacOS Ventura (v13.0).
First I had to add something in Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections (DANGER)-->    
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Then, when I try to load the regular webpage and I'm redirected, I always get

The certificate for this server is invalid. You might be connecting to a server that is pretending to be xxx which could put your confidential information at risk.

ServerCertificateCustomValidationCallback is not called at all, but I get an exception (with the message I wrote) on client.GetAsync(website).

I've also tried to add some code on AppDelegate.cs:

public override bool FinishedLaunching(UIApplication application, NSDictionary launchOptions)
{
    ServicePointManager.ServerCertificateValidationCallback = (message, certificate, chain, sslPolicyErrors) => true;
    return base.FinishedLaunching(application, launchOptions);
}

without success.

I'm using NET 6.0, but it won't be a problem to move to 7.0 if necessary.

Is there a way to bypass that security check?
Why it is working on Windows and not on Mac? Could it be some specific security that could/should be disabled? Naturally I don't want to disable security checks all over the Mac, just for my app!

Marco
  • 56,740
  • 14
  • 129
  • 152
  • What version of .NET are you using? [Also, "MAC" is never capitalized like that: it's "Mac"](https://www.apple.com/uk/legal/intellectual-property/guidelinesfor3rdparties.html) - the term "[MAC](https://en.wikipedia.org/wiki/MAC_address)" is something else entirely. – Dai Nov 17 '22 at 07:06
  • I'm using NET 6.0 – Marco Nov 17 '22 at 07:07
  • [This answer says](https://stackoverflow.com/a/44540071/159145) to use `ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;` instead of your own custom callback - though that's for .NET Core 2.x - I don't know if it's still relevant on .NET 6+. – Dai Nov 17 '22 at 07:09
  • Thanks for your reply @Dai, unfortunately I get _Operation is not supported on this platform_ – Marco Nov 17 '22 at 07:16
  • The answer in the link Dai provided showed the method about how to deal with the `platform not support` error. – Liyun Zhang - MSFT Nov 18 '22 at 07:02

0 Answers0