i am implementing a GeckoFX Browser using c#.
i need to navigate to a secure self sign cert. but GeckoFX throw me this error.
The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for FG200B3913601572
(Error code: sec_error_untrusted_issuer)
How do i bypass the Check?
You could try this code, but it requires the latest version of Geckofx (build from source):
browser.NSSError += (s,e) => {
CertOverrideService.RememberRecentBadCert(e.Uri);
Uri refUrl = browser.Url;
browser.Navigate(e.Uri.AbsoluteUri, refUrl != null ? refUrl.AbsoluteUri : null);
e.Handled = true;
};
In GeckoFx 60 RememberRecentBadCert is now depraced so you have to use RememberValidityOverride
browser.NSSError += (s, e) =>
{
if (e.Message.Contains("Certificate"))//Peer's Certificate issuer is not recognized.
{
CertOverrideService.GetService().RememberValidityOverride(e.Uri, e.Certificate, CertOverride.Mismatch | CertOverride.Time | CertOverride.Untrusted, false);
if (!e.Uri.AbsoluteUri.Contains(".js") && !e.Uri.AbsoluteUri.Contains(".css")) browser.Navigate(e.Uri.AbsoluteUri);
e.Handled = true;//otherwise shows error
}
};
Reference: https://bitbucket.org/geckofx/geckofx-60.0/src/default/Geckofx-Core/Services/CertOverrideService.cs
With handling cert errors my browser started to work almost normally but still those cert errors were causing unexpected errors. Thats why I added cert I wanted to use to Windows root certificates. But it still didnt work. Finally I have found out that GeckoFX by default doesnt import stored Windows certificates and it has to be enabled by these preferences:
GeckoPreferences.User["security.enterprise_roots.enabled"] = true;
GeckoPreferences.User["security.enterprise_roots.auto-enabled"] = true;
This 2 prefs did the job and finally I didnt get ANY "Untrusted certificate" errors. Heuréka !
geckoWebBrowser1.NSSError += geckoWebBrowser1_NSSError;
void geckoWebBrowser1_NSSError(object sender, Gecko.Events.GeckoNSSErrorEventArgs e)
{
if (e.Message.Contains("Certificate"))
{
Gecko.CertOverrideService.GetService().RememberRecentBadCert(e.Uri, e.SSLStatus);
geckoWebBrowser1.Navigate(e.Uri.AbsoluteUri);
e.Handled = true;
}
}
Try it in gecko 33
The code above does not work on version 29.0.2. There is a bug which caused the CertOverrideService.RememberRecentBadCert call to error out.
After upgrading to 29.0.11 it worked perfectly.
Here is the VB.NET code.
Sub IgnoreSSLError(ByVal sender As Object, ByVal e As Gecko.Events.GeckoNSSErrorEventArgs) Handles WebBrowserRehab.NSSError
CertOverrideService.RememberRecentBadCert(e.Uri)
WebBrowserRehab.Navigate(e.Uri.AbsoluteUri)
e.Handled = True
End Sub
Related
I am working on a plugin for Outlook. When an untrusted certificate for IMAP is used, Outlook asks for confirmation in order to continue working with the server. How can I get information about whether the certificate has been confirmed by user or not in VSTO? Maybe Outlook stores it somewhere in the VSTO entities or maybe in the registry? Helps me please.
I means this "Security warning" window
VSTO (nor Outlook) doesn't provide anything for that. You can use standard .net mechanisms, for example, take a look at the How to validate a SSL certificate with C# thread.
If you're trying to validate that an HTTPS certificate is valid, HttpWebRequest can do that for you.
To make HttpWebRequest check the revocation status you need to set the global ServicePointManager.CheckCertificateRevocationList = true before calling GetResponse().
HttpWebRequest request = WebRequest.Create(uri) as HttpWebRequest;
request.ServerCertificateValidationCallback = ValidationCallback;
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Since you want to be more strict than the default, reject it if anything went wrong.
if (sslPolicyErrors != SslPolicyErrors.None)
{
return false;
}
// If the chain didn't suppress any type of error, and revocation
// was checked, then it's okay.
if (chain.ChainPolicy.VerificationFlags == X509VerificationFlags.None &&
chain.ChainPolicy.RevocationMode == X509RevocationMode.Online)
{
return true;
}
X509Chain newChain = new X509Chain();
// change any other ChainPolicy options you want.
X509ChainElementCollection chainElements = chain.ChainElements;
// Skip the leaf cert and stop short of the root cert.
for (int i = 1; i < chainElements.Count - 1; i++)
{
newChain.ChainPolicy.ExtraStore.Add(chainElements[i].Certificate);
}
// Use chainElements[0].Certificate since it's the right cert already
// in X509Certificate2 form, preventing a cast or the sometimes-dangerous
// X509Certificate2(X509Certificate) constructor.
// If the chain build successfully it matches all our policy requests,
// if it fails, it either failed to build (which is unlikely, since we already had one)
// or it failed policy (like it's revoked).
return newChain.Build(chainElements[0].Certificate);
}
I have created two Azure httpTrigger functions and serve them over https. During local development when I call azure function 2 from azure function 1 I get the following message:
The SSL connection could not be established, see inner exception.
The remote certificate is invalid according to the validation procedure.
After looking for a solution I found this (solution 1) and this (solution 2)
I tried the first solution (shown below) and it did not make a difference (Aside: I'm glad as I don't like removing the security checks for a call)
ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) =>
{
var isDevelopment = false;
#if DEBUG
isDevelopment = true;
#endif
if (isDevelopment) return true;
return errors == SslPolicyErrors.None;
};
I considered solution 2 but when my application starts up it clearly states:
Generating a self signed certificate using openssl
My question is how do I call azure function 2 from azure function 1 without disabling ServerCertificateValidationCallback
UPDATE:
I created a certificate manually and it continued to return the same error. I have managed to supress the error for local development by replacing ServicePointManager.ServerCertificateValidationCallback with ConfigurePrimaryHttpMessageHandler when I set up my httpClient. Which now looks like below. But I would still like to know how to make the call without this being needed
services.AddHttpClient<ILocationDetailsService, LocationDetailsService>(client =>
{
var writeBaseUrl = configuration.GetValue<string>("WriteBaseUrl");
client.BaseAddress = new Uri(writeBaseUrl); // get url from config
client.DefaultRequestHeaders.Add("ContentType", "application/json");
})
.ConfigurePrimaryHttpMessageHandler(() =>
new HttpClientHandler()
{
ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => {
var isDevelopment = false;
#if DEBUG
isDevelopment = true;
#endif
if (isDevelopment) return true;
return sslPolicyErrors == SslPolicyErrors.None;
}
}
)
UPDATE 2:
#John Wu has suggested that I identify the error by navigating to the url in the browser. In firefox I get:
https://localhost:7072/api/contact
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
In chrome I get
NET::ERR_CERT_AUTHORITY_INVALID
Looks like I have my answer. Once I resolve it I will update with and answer. On a side note, it looks like all my endpoint are doing the same, I had been assuming that they were all working without errors until now. Thanks #John Wu
I'm trying to pass my full Rest service from http to https.
I created a self-signed certificate, I had it to IIS Express. I validate it on google Chrome and it work perfectly fine with postman. My rest service work in http and https.
I use a PCL project (IOS and Android) everything is working fine with http request but I have exception with https request. the exception message is null.
I tried to create a test certificate directly from Visual Studio 2015 but the button is disabled in properties ->Signing.
I also tried to install my self-signed certificate as a Trusted Root but no success for the communication between my simulator and my rest Service.
my code
public partial class MainPage : ContentPage
{
private string url = string.Empty;
private HttpClient _client;
public MainPage()
{
InitializeComponent();
switch (Device.RuntimePlatform)
{
case Device.iOS:
_client = new HttpClient(new NSUrlSessionHandler());
break;
case Device.Android:
_client = new HttpClient();
break;
}
_client = new HttpClient();
test();
}
private async void test()
{
//url = "http://192.168.1.106:9630/PrototypeB.svc/Test";
url = "https://192.168.1.106:44301/PrototypeB.svc/Test";
try
{
var _content = await _client.GetStringAsync(url);
List<Test> _posts = JsonConvert.DeserializeObject<List<Test>>(_content);
}
catch (HttpRequestException e)
{
string test = e.Message;
}
catch (Exception e)
{
string test = e.Message;
}
}
}
How can I communicate with my Android and IOS Simulator with https and self-signed certificate?
You can use ServicePointManager to ignore the certificate validation check.
Execute the code in your iOS and Android platforms like this:
System.Net.ServicePointManager.ServerCertificateValidationCallback += (se, cert, chain, sslerror) => {
return true;
};
References:
Untrusted HTTPS
certificate
HTTPS ignore
certificate
Ignore SSL certificate errors in Xamarin.Forms (PCL)
SSL Validation in
PCL
Also, ModernHttpClient Pro provide this feature, but it is not free.
I making a call to get using JsonServiceClient to serialize my request object. My server is using https and I created a self signed certificate.
It would appear that an exception is thrown when the client tries to connect and the server responds that the certificate is not trusted and that the identity of the server has not been verified.
In a browser I can ignore this message. How can I get the JsonService client to work with https and a self signed certificate?
I think this is a similar issue to what is happening. You can get more information on ServerCertificateValidationCallback here and here. Below is a test that should provide an example/template of getting past the 'not trusted' issue with JsonServiceClient. Obviously, there is some risk in writing your own certificate validation.
public void Test()
{
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);
var client = new JsonServiceClient();
var response = client.Post<string>("https://localhost/Secure/Route", new MySecureRequest());
Assert.IsNotNull(response);
}
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
//Do something to check the certificate is valid.
return false || cert.Subject.ToUpper().Contains("Something in Cert");
}
Hope this helps.
Am I doing something incorrectly with this?
My app went out last night, but I noticed that my code for the free trial wasn't firing. This method is being called and it always returning FALSE (Full Mode).
What am I doing wrong? Right now my app is free :(
private static Boolean IsTrial()
{
#if DEBUG
return false;
#endif
var license = new Microsoft.Phone.Marketplace.LicenseInformation();
return license.IsTrial();
}
Currently I have this app sideloaded on my machine. I am updating my pivot header and setting the status for the various checks I have. Right now in the SIDELOADED version it always returns false.
I downloaded my app from the MarketPlace last night (as a Free Trial). The production version is always returning False and so is the Sideloaded version.
Any ideas?
This is my calling code (just in case anyone is interested):
private void MainPage_Loaded(object sender, RoutedEventArgs e)
{
pivotPills.Title = "PillBox v1.2 - Checking Mode:";
App.ViewModel.RefreshTrialMode();
pivotPills.Title = "PillBox v1.2 - Count:" + App.ViewModel.trialItemCollection.Count.ToString();
//Checking Trial Mode:
if (App.ViewModel.trialItemCollection.Count == 0)
{
trialMode tm = new trialMode();
tm.IsTrial = true;
tm.Save();
pivotPills.Title = "PillBox v1.2 - Trial Mode:" + App.ViewModel.trialItemCollection.Count.ToString();
}
else
{
if (App.ViewModel.trialItemCollection[0].IsTrial == true) //If saved isTrial = true (still a trial) then check MarketPlace Task
{
if (IsTrial() == false) //Purchased App
{
App.ViewModel.trialItemCollection[0].IsTrial = false;
StorageHelper.Save<ObservableCollection<trialMode>>(App.trialModeData, App.ViewModel.trialItemCollection);
pivotPills.Title = "PillBox v1.2 - Unlimited";
}
else //Still in Trial Mode
{
//show marketplace window
NavigationService.Navigate(new Uri("/MarketPlace.xaml", UriKind.Relative));
}
}
}
}
The IsTrial method always returns false when you are running in the emulator (which I presume is the case for you). Check out the How to: Test and Debug Your Trial Application for Windows Phone article on MSDN for help debugging trial applications.
Are you sure that the version you submitted didn't contain the DEBUG directive?
Also the version in the Marketplace is version 1.0, but your code seems to think it's version 1.2. Is it just that the code your looking at doesn't match what's compiled/released?
Also your app crashes when I try and press the back button when selecting a contact. :(