C# and handling SSL Certificate Problems

C# and handling SSL Certificate Problems

Image by Vectorportal.com, CC BY

Background

Throughout my career, virtually every project I have worked on has integrated with other systems. In the ‘old days’, the security of these systems was handled using many different technologies, with many companies using private networks and systems. Still, with the introduction of the internet, we now have web services with SSL certificates, authentication processes, bearer tokens and more.

These security features are important and help developers build secure software solutions. Most of the time, Dot Net makes all of these things trivial. However, SSL is one area that keeps being a pain when using Proxy servers. Typically, Proxy servers ‘do things’ with SSL certificates.

What is a Proxy?

The SSL proxy does the following: Acts as a client for the server by determining the keys to encrypt and decrypt. Acts as a server for the client by first authenticating the original server certificate and issuing a new certificate along with a replacement key.

TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.

If you want the proxy to be able to read information, you can take the following approach:

  1. Client starts HTTPS session
  2. Proxy transparently intercepts the connection and returns an ad-hoc generated(possibly weak) certificate Ka, signed by a certificate authority that is unconditionally trusted by the client.
  3. Proxy starts HTTPS session to target
  4. Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
  5. Proxy streams content, decrypts it and re-encrypts it with Ka
  6. Client displays stuff

So, when using Proxys, there are times when your application is unable to access the real certificates.

A temporary Developer Workaround

I have spent a lot of time determining what is going on with these problems. Disabling the Proxy or bypassing it typically gives you the correct certificate, and the problem goes away. However, sometimes you cannot do this, or in a business, you aren’t allowed to do this – even on a developer machine.

However, Dot Net allows you to ignore certificate validity like this: –

System.Net.ServicePointManager.ServerCertificateValidationCallback = (senderX, certificate, chain, sslPolicyErrors) => { return true; };

I typically add this code right next to the previously failing area. So, it sticks out like a sore thumb and is picked up in a Pull Request Review if I forget to remove it. When I remembered, I added Debug Pragmas around these commands so that it does no harm in production if the team somehow miss it and it gets through the pipelines.

Stephen

Hi, my name is Stephen Finchett. I have been a software engineer for over 30 years and worked on complex, business critical, multi-user systems for all of my career. For the last 15 years, I have been concentrating on web based solutions using the Microsoft Stack including ASP.Net, C#, TypeScript, SQL Server and running everything at scale within Kubernetes.