Bug 41225 - Allow use of untrusted certificates in platform implementations of HttpClientHandler
Summary: Allow use of untrusted certificates in platform implementations of HttpClient...
Status: RESOLVED ANSWERED
Alias: None
Product: Android
Classification: Xamarin
Component: BCL Class Libraries ()
Version: 6.0.99
Hardware: Macintosh Mac OS
: --- enhancement
Target Milestone: ---
Assignee: Marek Habersack
URL:
Depends on:
Blocks:
 
Reported: 2016-05-20 20:53 UTC by Jon Goldberger [MSFT]
Modified: 2016-06-20 16:07 UTC (History)
5 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED ANSWERED

Description Jon Goldberger [MSFT] 2016-05-20 20:53:40 UTC
## Description

I know this is likely the wrong product to file this against as this is asking for platform specific implementations, so please move as need be, but the requested feature would ideally be available on both iOS and Android. I have heard that our current beta channel is using the platform's native http handlers as ModernHttpClient does. 

A priority customer is requesting that our new platform implementations of HttpClient and HttpClientHandler allow the use of untrusted certificates similarly to the ModernHttpClient Pro library:
https://components.xamarin.com/view/modernhttpclient-pro
Comment 2 Marek Habersack 2016-05-24 10:28:59 UTC
This bug is unlikely to be fixed in the BCL since that would mean deviating from the HttpClientHandler specification as found in the MSDN docs. However, the Android custom client handler already supports this - please see https://github.com/xamarin/xamarin-android/blob/master/src/Mono.Android/Xamarin.Android.Net/AndroidClientHandler.cs#L49-L57

@mareks, I'm re-assigning this bug to you to make the decision regarding the "upstream" HttpClientHandler class
Comment 3 Marek Safar 2016-05-24 13:20:50 UTC
@grendel: the request is for platform specific implementation only.

However, if I misread the description for .net new api you need to fill a enhancement/bug report at https://github.com/dotnet/corefx/issues
Comment 4 Marek Habersack 2016-05-24 13:39:16 UTC
@mareks, I understand it's just for platform-specific implementations too, but you got me confused by assigning it to "BCL Class Libraries" :)
Comment 5 Marek Safar 2016-05-24 13:57:06 UTC
@grendel that's because we don't have platform specific BCL category
Comment 6 Jeremy Cook 2016-06-07 23:05:47 UTC
I evaluated the Android workaround posted by Marek Habesack above.    The workaround will not work for us, as it requires us to list out all the certs that need to be ignored.  We will not know that information in advance.  We just need a true/false way to turn on/off ignoring of cert errors.
 
Previously we did this with the ServicePointManager, but this is no longer available once you move to native HTTP stacks:
http://stackoverflow.com/questions/28629989/ignore-ssl-certificate-errors-in-xamarin-forms-pcl
 
Ideally, I’d want the Xamarin HttpClientHandler to support ignoring of cert issues as ModernHttpClient Pro does:
https://components.xamarin.com/view/modernhttpclient-pro

Thanks!
Comment 7 Marek Habersack 2016-06-08 06:55:19 UTC
@Jeremy, you can override https://github.com/xamarin/xamarin-android/blob/master/src/Mono.Android/Xamarin.Android.Net/AndroidClientHandler.cs#L411 this method and implement your custom TrustManager with https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html#checkClientTrusted%28java.security.cert.X509Certificate[],%20java.lang.String%29 this method override to implement your logic for certificate validation.