CODEWITHSUNDEEP
.netsslftpcertificateftpwebrequest
John Smith
John Smith

Reputation: 101

FtpWebRequest "The remote certificate is invalid according to the validation procedure"

I have a .NET client application that tries to ftp over a file to an FTP site which has a self-signed TLS/SSL certificate. This FTP site is running on Windows 7 Enterprise, IIS 7. I am getting the following error:

The remote certificate is invalid according to the validation procedure

I have tried installing the certificate in the trusted root certificates but that still does not work.

I have used the delegate call back in the code that is mentioned some of the posts here - it works. But I do not want to use that in my production code.

Also in production some of our customers are using self-signed certificates.

Any ideas on how to fix this issue?

Upvotes: 10

Views: 19849

Answers (4)

Martin Prikryl
Martin Prikryl

Reputation: 202098

The most voted answer by @Luca blindly accepts any certificate. That's a security flaw.

When implementing ServicePointManager.ServerCertificateValidation callback one should validate the certificate. E.g. by checking certificate's hash against a known value:

using System.Net;
using System.Net.Security;
using System.Security.Cryptography;

ServicePointManager.ServerCertificateValidationCallback +=
    (sender, certificate, chain, errors) =>
    {
        return
            (errors == SslPolicyErrors.None) ||
            certificate.GetCertHashString(HashAlgorithmName.SHA256).Equals(
                "EB8E0B28AE064ED58CBED9DAEB46CFEB3BD7ECA677...");
    };

For the X509Certificate.GetCertHashString overload that takes HashAlgorithmName.SHA256, you need .NET 4.8. On older versions use the parameter-less overload that returns an SHA-1 hash.

Based on Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

For VB.NET version of the code, see Accept self-signed TLS/SSL certificate in VB.NET.

Upvotes: 10

Luca Quaglia
Luca Quaglia

Reputation: 109

You have to overwrite the certificate checks so that they will always be considered good. That won't prevent the channel to remain SSL protected.

Uri target = new Uri("ftp://yourUri");
string fileName = @"fullPathOfYourFile";
FtpWebRequest request = (FtpWebRequest)WebRequest.Create(target);
request.Method = WebRequestMethods.Ftp.UploadFile;
request.Credentials = new NetworkCredential("user", "password");
request.EnableSsl = true;

//overwrite the certificate checks
ServicePointManager.ServerCertificateValidationCallback = 
                      (s, certificate, chain, sslPolicyErrors) => true;

// Copy the contents of the file to the request stream
//....

Upvotes: 10

Ergec
Ergec

Reputation: 11824

You also get this error if you try to connect to IP address instead of domain name. Since certificate is issued to the domain name, IP address wont work.

Upvotes: 1

Matt
Matt

Reputation: 365

I had the same issue via .NET and the certificate root and chain was trusted by my account and even the local machine account. So the cert was golden.

For me, I was using the wrong hostname. I was using a fully qualified name (and was getting to the correct place), but the cert was actually issued to a different alias. So make sure your server name matches exactly what's on the certificate.

Check this article, that's how I found the answer... Maybe the event subscription is what you need too...

http://www.limilabs.com/blog/the-remote-certificate-is-invalid-according-to-the-validation-procedure

Upvotes: 0

Related Questions