Accepting invalid SSL certificates using WinRT

8
votes

There are scenarios where you want your application to accept invalid SSL certificates (testing environment/ self signed certificates etc).

In the .NET world one would use the ServerCertificateValidationCallback class to do so. Unfortunately the class doesn't exist in a WinRT context.

I need to consume a Web API using WinRT which is hosted on a server without a valid ssl certificate.

How do you accept invalid ssl certificates in WinRT using the HttpClient class or any other appropriate class.

Any help or alternatives would much appreciated.

2
c#microsoft-metrosecuritywindows-runtime
Alternatively, you could add your self signed testing certificates to your local certificate store so they would be seen as valid. - Wug
I was thinking about that one as well and theoretically this should work, but: The device I am using is a peace of hardware you can buy and it's just to complicatedt to explain normal users how to ssh into a machine, grap te certificate and so on and so on. Or would there be a way to automate this? - Flo
Depends on the operating system. You could supply the certificate in a variety of formats along with installation instructions for different operating systems (most of them, it will be basically "download this and double click it"). If you're working with a company, you could put a request through to their IT dept and they can probably do the installation on their employees' machines - Wug
@Wug - The only operating system we could be talking about is a preview version Windows 8. Windows RT and Windows 8 devices are not yet in the wild. Although the process to accept what technical is an invalid ssl certificate will be the same for Windows RT and Windows 8. - Security Hound
@Ramhound I think you may not understand the issue here. The question is how to accept an invalid certificate via code on the WinRT platform. You down vote is a bit weired though. Sorry - Flo

2 Answers

4
votes

The following code worked for me for the debugging scenario:

var filter = new HttpBaseProtocolFilter();
#if DEBUG
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Expired);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);
    filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.InvalidName);
#endif
using (var httpClient = new HttpClient(filter)) {
    ...
}
-1
votes

in silverlight, it wasn't allowed. I haven't seen anything that says it's allowed in winrt.