Ignore bad certificate - .NET CORE
I\'m writing a .NET Core app to poll a remote server and transfer data as it appears. This is working perfectly in PHP because the PHP is ignoring the certificate (which is
-
Instead of
new HttpClient()you want something akin tovar handler = new System.Net.Http.HttpClientHandler(); using (var httpClient = new System.Net.Http.HttpClient(handler)) { handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => { // Log it, then use the same answer it would have had if we didn't make a callback. Console.WriteLine(cert); return errors == SslPolicyErrors.None; }; ... }That should work on Windows, and on Linux where libcurl is compiled to use openssl. With other curl backends Linux will throw an exception.
讨论(0) -
Just to add another variation, you could add in your thumbprint and check it in the callback to make things a bit more secure such as:
if (!string.IsNullOrEmpty(adminConfiguration.DevIdentityServerCertThumbprint)) { options.BackchannelHttpHandler = new HttpClientHandler { ServerCertificateCustomValidationCallback = (sender, certificate, chain, sslPolicyErrors) => certificate.Thumbprint.Equals(adminConfiguration.DevIdentityServerCertThumbprint, StringComparison.InvariantCultureIgnoreCase) }; }adminConfiguration.DevIdentityServerCertThumbprintis the configuration that you would set with your self signed cert's thumbrint.讨论(0) -
Getting Linux and macOS to work
If you are working in Linux or macOS you may encounter a scenario in which
HttpClientwill not allow you to access a self signed cert even if it is in your trusted store. You will likely get the following:System.Net.Http.CurlException: Peer certificate cannot be authenticated with given CA certificates environment variableof if you are implementing (as shown in the other answer)
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => { // Log it, then use the same answer it would have had if we didn't make a callback. Console.WriteLine(cert); return errors == SslPolicyErrors.None; };This is due to the version of libcurl on the machine not supporting the appropriate callbacks that .Net Core needs to in order to gather the appropriate data to call the
ServerCertificateCustomValidationCallback. For example, there isn't a way for the framework to create thecertobject or another one of the parameters. More information can be found in the discussion for the workaround that was provided in .NET Core at issue in dotnet core's github repo:https://github.com/dotnet/corefx/issues/19709
The workaround (which should only be used for testing or specific internal applications) is the following:
using System; using System.Net.Http; using System.Runtime.InteropServices; namespace netcurl { class Program { static void Main(string[] args) { var url = "https://localhost:5001/.well-known/openid-configuration"; var handler = new HttpClientHandler(); using (var httpClient = new HttpClient(handler)) { // Only do this for testing and potentially on linux/mac machines if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && IsTestUrl(url)) { handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator; } var output = httpClient.GetStringAsync(url).Result; Console.WriteLine(output); } } static bool IsTestUrl(string url) => url.Contains("localhost"); } }There is another avenue for fixing this problem, and that is using a version of libcurl that is compiled with openssl support. For macOS, here is a good tutorial on how to do that:
https://spin.atomicobject.com/2017/09/28/net-core-osx-libcurl-openssl/
For the short version, grab a copy of the latest libcurl compiled with openssl support:
brew install curl --with-opensslYou probably don't want to force the entire OS to use the non-Apple version of libcurl, so you'll likely want to use the
DYLD_LIBRARY_PATHenvironment variable instead of using brew to force link the binaries into the regular path of the OS.export DYLD_LIBRARY_PATH=/usr/local/opt/curl/lib${DYLD_LIBRARY_PATH:+:$DYLD_LIBRARY_PATH}The above command can be used to set the appropriate environment variable when running
dotnetin a terminal. This doesn't really apply to GUI applications though. If you're using Visual Studio for Mac, you can set the environment variable in the project run settings:The second approach was necessary for me when using IdentityServer4 and token authorization. The .NET Core 2.0 authorization pipeline was making a call to the token authority using an
HttpClientinstance. Since I didn't have access to theHttpClientor itsHttpClientHandlerobject, I needed to force theHttpClientinstance to use the appropriate version of libcurl that would look into my KeyChain system roots for my trusted certificate. Otherwise, I would get theSystem.Net.Http.CurlException: Peer certificate cannot be authenticated with given CA certificates environment variablewhen trying to secure a webapi endpoint using theAuthorize(AuthenticationSchemes = IdentityServerAuthenticationDefaults.AuthenticationScheme)]attribute.I spent hours researching this before finding work arounds. My whole goal was to use a self-signed certificate during development for macOs using IdentityServer4 to secure my webapi. Hope this helps.
讨论(0) -
//at startup configure services add the following code
services.AddHttpClient(settings.HttpClientName, client => { // code to configure headers etc.. }).ConfigurePrimaryHttpMessageHandler(() => { var handler = new HttpClientHandler(); if (hostingEnvironment.IsDevelopment()) { handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; }; } return handler; });now you can use IHttpClientFactory CreateClient method within your service
讨论(0)
加载中...
- 热议问题