'CertificatePolicy' Vs 'ServerCertificateValidationCallback'

'CertificatePolicy' Vs 'ServerCertificateValidationCallback'

• dlyford

  In VB.NET 2003 this was done according to:

  http://support.microsoft.com/default.aspx scid=kb;en-us;823177

  In VB.NET 2005, after a good amount of playing around, I came up with the following based on the post above.  I don't know how "correct" this is, but it seems to work as a 2005 version of the KB article.  Hope this helps someone else.

  ====================
  Imports System.Net
  Imports System.Net.Security
  Imports System.Security.Cryptography.X509Certificates

  Public Class MyClass

  Private Function ValidateCertificate(ByVal sender As Object, ByVal certificate As X509Certificate, ByVal chain As X509Chain, ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
      'Return True to force the certificate to be accepted.
      Return True
  End Function

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
      ServicePointManager.ServerCertificateValidationCallback = New  RemoteCertificateValidationCallback(AddressOf ValidateCertificate)
  End Sub

  End Class
  ====================

  
  

• Ling Chen Wu

  #pragma
  does not work with VS 2003 (C#)
  
  
  

• Ri

  That code uses an anonymous delegate in C#, to translate it to VB you'd need to pull the validation code out into a seperate function.  It'd look similar to:

  Private Function ValidateCertificate(sender As Object, certificate As X509Certificate, chain As X509Chain, sslPolicyErrors As SslPolicyErrors) As Boolean     Dim validationResult As Boolean     validationResult = False     '     ' policy code here ...     '     Return validationResult End Function AddHandler servicePointManager.ServerCertificateValidationCallback, AddressOf ValidateCertificate

  -Shawn

  
  
  

• rebecca

  Thanks for the help. The code worked for me properly.
  

• NorCis

  The new API is ugly, first off the CertificatePolicy provided a more elegant solution that didn't make it necessary to add delegates into a function (seems to me that delegates used in this way are just an excuse for laziness). Nor does the new method really allow you to describe just what the new call back is going to be doing with the new function unless you comment it, unlike the old API where you could name the class something like TrustAllCertificatePolicy which tells you what it does, or Trust[Site]CertificatePolicy. Some times "advances" are really steps backwards. That, and why bother making it obsolete It's a work around, and it still works, I don't see how it makes it obsolete. Too much screwing around with language specs, not enough focus on expanding the capabilities.
  
  
  

• Fafa

  At the expense of sounding like a newbie, can you provide a VB 2005 translation

  I had the "work around" in 2003 and I am trying to provide the same functionality in 2005. 

   (I tried a few stabs with AddHandler with no luck)

  Thanks in advance!

   

  
  
  servicePointManager.ServerCertificateValidationCallback += delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
  {
     bool validationResult = false;
  
     //
     // policy code here ...
     //
  
     return validationResult
  };
  

  
  

• sobrle

  Thanks shapij, I'm wading through the warnings as I'm porting a VS2003 solution to VS2005, and your post was a big help.
  
  

• samithad

  If you need the same code base to compile on both frameworks, then you'll either have to conditionally compile (#ifdef WHIDBEY), or use the old CertificatePolicy member.  If you choose to go the second route, you can surround the setting of CertificatePolicy with #pragma warning disable <warning number> and #pragma warning enable <warning number> on Whidbey.

  -Shawn

  
  
  

• ChristerHe

  The new API isn't a security patch, however it does provide a nicer programming model than the old way of doing things, especailly combined with C# 2.0's anonymous delegate feature.  For instance, you can now do something along the lines of:
  
  

  servicePointManager.ServerCertificateValidationCallback += delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {    bool validationResult = false;    //    // policy code here ...    //    return validationResult };

  
  
  Whereas the old programming model required you to either create a seperate class that implemented that method, or implement the ICertificatePolicy interface yourself.
  
  -Shawn

  
  
  

• keyler

  Thanks Shawn for your reply.
  
  
  I got an idea about implementation But our issue is:
  
  We got our code written with VS2003 (1.1 framework). Now, we want the same code to work on both frameworks(1.1 and 2.0), irrespective of what framework our customer has installed at his end.
  
  The solutions we've reached so far are:
  1. Maintain two different code bases each for a version of framework. Certainly the most easier to implement, but equally difficult to maintain.
  
  2. Use reflection to achieve desired result. But as we understand, in Framework 2.0, System.Reflection.Assembly.LoadFromPartialPath(String) is also deprected which would allow us to load the desired assembly from GAC without bothering about the physical location of the assembly. So this makes it more difficult.
  
  Would like to know your views on this.
  
  
  Regards,
  Prajkta
  
  
  
• 'CertificatePolicy' Vs 'ServerCertificateValidationCallback'