Mono, WebClient & invalid SSL Certificates

Question

I'm trying to port an existing Application to Mono 2.6.7/Linux. One Task is to receive data via the WebClient method from Servers with an invalid SSL Cert.

Our .Net 3.5 Code under Windows to accept all certificates works fine:

ServicePointManager.ServerCertificateValidationCallback = TrustCertificate;
StreamReader webReader = new StreamReader(webClient.OpenRead(url));
...
private static bool TrustCertificate(object sender, X509Certificate x509Certificate, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
{
   // all Certificates are accepted
   return true;
}

I tried misc. things to achieve the same in Mono without using specific Mono dll's but always the same error:

Error getting response stream (Write: The authentication or decryption has failed.): SendFailure

Any ideas how to solve this issue?

Answer 1

Try using this instead (the callback property was implemented only recently I think):

ServicePointManager.CertificatePolicy = new NoCheckCertificatePolicy ();

where NoCertificatePolicy is:

using System;
using System.Net;
using System.Security.Cryptography.X509Certificates;

namespace MyNameSpace
{
 class NoCheckCertificatePolicy : ICertificatePolicy
 {
  public bool CheckValidationResult (ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
  {
   return true;
  }
 }
}

Answer 2

The main reason is that Mono, unlike Microsoft's .NET implementation, does not include trusted root certificates, so all certificate validation will fail by default.

This page does an excellent job explaining how certificate validation on Mono works. It also describes how to implement your own policy responsibly, including sample code.

http://www.mono-project.com/UsingTrustedRootsRespectfully

The site is somewhat old and provides code for .NET 2.0, using the ServicePointManager.CertificatePolicy property. You should use the newer, non-deprecated ServicePointManager.ServerCertificateValidationCallback property instead.