tags:

views:

3808

answers:

3
+5  Q: 

How do I tell WCF to skip verification of the certificate?

Trying to make a web service call to an HTTPS endpoint in my Silverlight application results in this error: "Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http]"

The same problem as was posted here:

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4c19271a-f5e6-4659-9e06-b556dbdcaf82/

So, one of the suggestions was this: "The other issue might be that the cert name and the machine name don't agree, and this is causing WCF to have fits. If this is the case, you can tell WCF to skip verification of the cert."

Well, I do get a certificate error because this is just a demo server.

Here's how I set up my client:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
_ws = new AnnotationService.AnnotationClient(binding, new EndpointAddress(myAddress));

How can I tell WCF to skip the verification?

+2  A: 

This does not look like an certificate validation error. It looks like a webservice configuration error. Can you post the config for your endpoint on the server?

WCF services don't support SSL by default, you need to enable transport security by creating a binding configuration and pointing your endpoint to it with the bindingConfiguration attribute.

Here is a sample binding configuration that supports SSL:

<bindings>
  <basicHttpBinding>
    <binding name="SecureTransport">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

and your endpoint config would look like this:

<endpoint address=""
   binding="basicHttpBinding"
   bindingConfiguration="SecureTransport"
   contract="MyServices.IWebService" />
joshperry  2008-12-03 20:26:56
+5  A: 

This sample WCF configuration will disable validation of both whether the certificate is trusted and whether it is still valid on the client:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="None"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>


UPDATE: Custom X.509 certificate validation

Another option is to provide custom logic to validate the X.509 certificate provided by the service. In that case you will have to modifiy the configuration file according to the following:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="Custom"
                                    customCertificateValidatorType="MyCertificateValidator, Client"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

Then create a class that derives from X509CertificateValidator to implement your custom validation logic.

public class MyCertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
        // Add custom validation logic
        // Throw an exception to fail validation
    }
}

As always, you can find a more detailed example up on MSDN.

Enrico Campidoglio  2009-01-26 14:14:49
Will state the obvious: the code above is for the WFC client ;)
bounav  2009-04-30 13:38:32
Thanks for pointing that out. I updated the answer to be more specific.
Enrico Campidoglio  2009-04-30 16:29:31
Do you know of a simple way to skip the hostname check as well? If they do not match, it will still fail with just these settings.
Thorarin  2009-11-30 11:18:25
I am not aware of any configuration option in WCF to explicitly turn hostname validation off. In that cause you could provide your own custom certificate validator, and simply let all certificates pass. I updated my answer with an example of how to do that.
Enrico Campidoglio  2009-12-01 11:08:21
A: 
Dhawal  2010-02-19 13:47:46

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.