koobas.hobune.stream
Manually validating SSL certificates (no WWW involved)
How can i manually verify an SSL certificate retrieved from a server while communicating through HTTPS but with other means than the WWW class? On .Net 3.5 there's the X509Certificate2.Verify() method but taking a look inside the Mono sources this method is marked with the following attribute:
[MonoTODO("by default this depends on the incomplete X509Chain")]
What is this supposed to mean? Does it mean that certificate validation in Mono using this method is ultimately unreliable? What good alternative can i use?
I don't know what you're trying to achieve, but maybe you can do it with ServicePointManager.ServerCertificateValidationCallback. This needs some additional investigation as well, because one of the callback delegate parameters is X509Chain, and basing on the MonoTODO you posted, there might be some problem related to this class.
UPDATE: I took a look at the thread you provided, and I found an older thread by the developer as well. As I understand, UniWeb uses TcpClient, and if it's true, than for SSL communication it probably uses SslStream. When wrapping TcpClient stream into SslStream, it is possible to provide certificate validation callback - the same I mentioned above. If current implementation doesn't throw any error when connecting to a site with invalid certificate, then probably the callback always returns true.
Maybe you can ask author about this directly, and if it works as I believe, then he should allow for injecting the callback or maybe make it virtual. Hard to say exactly without knowing implementation details though.
Well, what i'm trying to achieve is a fundamental concern of HTTPS/SSL: validate the server's certificate so that you can be sure that the server is indeed who it claims to be. I suspect the WWW/WWWForm classes do this automatically, but due to some deficiencies they have i can't use them so i'll have to rely on something else for web requests, which may not have certificate validation built-in.
In this case ServerCertificateValidationCallback should be a perfect solution, although in most cases it is used to do the opposite. It allows you to override standard validation procedure, by for example ignore the fact that certificate expired.
Out of curiosity - how are you trying to access the server? If you use WebRequest class, then it should fail automatically if the certificate is invalid.
One more question - could you share why you can't use WWW/WWWForm classes?
I intend to use the UniWeb asset (HttpWebRequest doesn't even work on iOS), which is superior to WWW/WWWForm in terms of HTTP completeness (headers, content types, timeouts etc), but it does not provide built-in SSL certificate validation. Thanks for the suggestion, i'll try the ServerCertificateValidationCallback and see if it works.
If this is a custom solution, then I don't know if my advice still apply... Please post some feedback after testing.
