0

I'm trying to replicate the normal certificate validation for anything other than requests to localhost 

    public static readonly HttpClient _httpClient = new HttpClient(new HttpClientHandler()
    {
        AllowAutoRedirect = false,
        MaxConnectionsPerServer = int.MaxValue,
        UseCookies = false,
        ServerCertificateCustomValidationCallback = ValidateLocalhostCertificate
    });

    private static bool ValidateLocalhostCertificate(HttpRequestMessage arg1, X509Certificate2 arg2, X509Chain arg3, SslPolicyErrors arg4)
    {
        if (arg1.RequestUri.Host == "127.0.0.1")
        {
            return true;
        }
        else
        {
            // default validation
        }
    }

I'm writing an ASP.NET Core application using this answer to reverse proxy requests made from specific subdomains to local services (e.g. 1.mywebsite.com goes to 127.0.0.1:1001, 2.mywebsite.com goes to 127.0.0.1:1002, etc.)

PLEASE don't suggest IIS URL rewrites or any other method for doing this

I'm assuming that client => mywebsite over 443 is secure, and the only 'unsecure' bit using the answer linked above would be happening locally on the server when it ignores invalid certificates to the local services (which all run strictly on https, something I can't change) - if this is untrue please correct me!

I've tried scouring the core source code but I'm struggling to find how HttpClient typically validates certificates

Improve this question
4
  • 1
    Or you can sign and install your own localhost cert and not mess with the code. Commented Nov 16, 2018 at 20:22
  • @Jasen I originally tried that and it didn't work. I'll give it another go on monday in case I had done something wrong Commented Nov 16, 2018 at 21:24
  • @Jasen yeah, no System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. Commented Nov 19, 2018 at 10:33
  • certificate is trusted root etc etc Commented Nov 19, 2018 at 10:35

1 Answer 1

Reset to default
1

Runtime checks certificate before a call to callback.

So certificate already checked and you can just check arg4 for error.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.