Understanding the code to make call over SSL

Question

I was going through existing code which is supposed to make an api call over SSL. I am having tough time understanding , how does following code work ? I mean this code works, but I am unable to understand the innerworking.Specially the code between two ** mark.

How certificate is being used here? I mean what purpose certificate serves here? I have run the code and I see GetCertificate returns a certificate from computer store.

 public class Helper
    {
        public static T Post<T>(string resourceUri, object request)
        {
            **ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
            var requestHandler = new WebRequestHandler();
            requestHandler.ServerCertificateValidationCallback = delegate { return true; };
            requestHandler.ClientCertificates.Add(GetCertificate());

            using (var client = new HttpClient(requestHandler))          
            {**
                client.BaseAddress = new Uri(resourceUri);
                client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));    

                try
                {

                    var responseMessage = client.PostAsJsonAsync(resourceUri, request).Result;
                    if (responseMessage.IsSuccessStatusCode)
                        return responseMessage.Content.ReadAsAsync<T>().Result;
                    else
                        throw new Exception(responseMessage.Content.ReadAsStringAsync().Result);
                }
                catch(Exception ex)
                {
                    // do something
                    return default(T);
                }

            }
        }

Answer 1

How certificate is being used here?

You reply yourself just after :

I see GetCertificate returns a certificate from computer store.

As for:

I mean what purpose certificate serves here?

In TLS, X.509 certificates are used for authentication. Either endpoint of the TLS handshake, or both, can decide it want to authenticate the other party.

So each party can send the other its certificate, which would be verified through cryptographic means by the other party, because it will typically have a list of CA in its trust store and it will both check the certificate metadata (dates of validity, signature) and the fact that it has been issued by one of the CA it trusts (or it is using certificates whitelisting).

You have here an HTTP client. It seems the server it connects to through HTTPS wants to authenticate client. So this HTTP client needs to send a certificate to the other party. That is the purpose basically of the code you highlighted.

The ServerCertificateValidationCallback on the other end seems very fragile. It will be used for this client to authenticate the server. I do not know C# but by the look of it it accepts any server certificate, which can be bad (maybe these are only extra checks on top of what the underlying library does, so if it does indeed check metadata and CA then it is ok, if this line just blindly accepts any certificate you are in a world of troubles).