0

I have an application which uses different APIs. Some of them are REST APIs, another are SOAP web services. Some of them require SSL. The thing is that I have several requests for different APIs simultaneously, and I need to skip SSL validation for some of them. With RESTful - it's relatively easy (see: Best practices for using ServerCertificateValidationCallback) but how to do anything similar with SOAP? Does anybody have such experience?

Thanks!

There is an option to do something like

ServicePointManager.ServerCertificateValidationCallback => true;

But it'll affect the whole app.

I can override the verification based on the requested URI. But I want to find out if there is a way how I can overwrite the validation logic for some specific SOAP service, not for all of them?

patriot10
  • 181
  • 1
  • 6
  • Instead of finding energy to bypass important checks you should instead invest energy into fixing the certificates problem. Otherwise you are in a security theatre: without proper certificates validation you are not really having TLS, but just an illusion of it as your connection will be encrypted but to "anyone", it will be trivial to hijack and redirect your traffic. – Patrick Mevzek May 05 '23 at 20:05
  • This is needed for QA team so they can mock the service. If I am not mistaken, getting full-charged valid certificates is not a free thing. At least I failed in generating one. – patriot10 May 08 '23 at 12:09
  • You are mistaken. At least Let's Encrypt, but other CA too, provide free certificates. – Patrick Mevzek May 08 '23 at 19:10
  • They would issue a certificate for a specific domain. I need one for localhost installation. Basically, the SOAP service and the application would be run on the same PC. Also it might be any VM so if I would go this way and address it by its network name, I would have to issue new certificate each time I deploy my environment. It's only for QA purposes, not for prod instance. – patriot10 May 08 '23 at 21:12
  • 1
    "I need one for localhost installation." See https://letsencrypt.org/docs/certificates-for-localhost/ for details, easy solution are given for this problem. " I would have to issue new certificate each time I deploy my environment. " That is not true either and if you are your own CA/generate self signed certificates, this can be 100% automated (as it using LE too). "It's only for QA purposes, not for prod instance. " It is EXACTLY because it is QA that you NEED a certificate. Otherwise QA does not test the same thing as production, so it is useless. – Patrick Mevzek May 08 '23 at 22:33

0 Answers0