Monday, December 28, 2009

Accepting Web Service Cerificates

In the past, I have frequently tested in environments with self-generated SSL certificates, and then use "real" certificates in production environments. This usually is not much of a problem unless the application makes calls to web services that are also encrypted using a self-generated certificates. This scenario is increasingly the norm in the current world of SOA and RIA. For this scenario to work, you have to implement your own certificate validation code as follows:
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

ServicePointManager.ServerCertificateValidationCallback = 
delegate(Object senderCallback,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
//This implementation will ALWAYS accept 
//certificates whether or not they are expired 
//or from a hacker. Consider expanding this 
//code to verify that it came from your 
//Certificate Authority (CA), and that 
//it is not expired.

return true;

This delegate only has to be set once. Therefore, a good place to do this is at application start up. For an ASP.Net application, alter the Application_Start method of the Global.asax. For Sliverlight, see Application.Startup.

No comments:

Post a Comment