Marcin Konrad Ceglarek Marcin Konrad Ceglarek - 1 year ago 695
C# Question

Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback

I'm trying to establish SSL/TLS connection to test server with self-signed certificate. Communication through unsecure channel worked without issues.

Here is my sample code, which I've written based on this solutions:
Allowing Untrusted SSL Certificates with HttpClient
C# Ignore certificate errors?
.NET client connecting to ssl Web API

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

var c = new HttpClient();
var r = c.GetAsync("").Result;
if (r.IsSuccessStatusCode)
Log.AddMessage(string.Format("{0} ({1})", (int)r.StatusCode, r.ReasonPhrase));

also tried this:

var handler = new WebRequestHandler();
handler.ServerCertificateValidationCallback = delegate { return true; };
var c = new HttpClient(handler);

and this

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

but each time I've got an exception:

InnerException: System.Net.Http.HttpRequestException
_message=An error occurred while sending the request.
Message=An error occurred while sending the request.
InnerException: System.Net.WebException
_message=The request was aborted: Could not create SSL/TLS secure channel.
Message=The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

What do I do wrong? Why I can't connect to this server (which has invalid-self-signed certificate)

Answer Source

You are doing it right with ServerCertificateValidationCallback. This is not the problem you are facing. The problem you are facing is most likely the version of SSL/TLS protocol.

For example, if your server offers only SSLv3 and TLSv10 and your client needs TLSv12 then you will receive this error message. What you need to do is to make sure that both client and server have a common protocol version supported.

When I need a client that is able to connect to as many servers as possible (rather than to be as secure as possible) I use this (together with setting the validation callback):

  ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download