silverlight - How do I tell WCF to skip verification of the certificate?

Question

Trying to make a web service call to an HTTPS endpoint in my Silverlight application results in this error: "Could not find a base address that matches scheme https for the endpoint with binding WSHttpBinding. Registered base address schemes are [http]"

The same problem as was posted here:

http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/4c19271a-f5e6-4659-9e06-b556dbdcaf82/

So, one of the suggestions was this: "The other issue might be that the cert name and the machine name don't agree, and this is causing WCF to have fits. If this is the case, you can tell WCF to skip verification of the cert."

Well, I do get a certificate error because this is just a demo server.

Here's how I set up my client:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
_ws = new AnnotationService.AnnotationClient(binding, new EndpointAddress(myAddress));

How can I tell WCF to skip the verification?

Answer 1

You might be able to achieve this in Silverlight by allowing cross-domain communication between the web server the hosts the Silverlight application and the remote WCF service.

In that case you need to place a clientaccesspolicy.xml file at the root of the domain where the WCF service is hosted:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="http://*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Here's what MSDN states about this approach:

To allow access to an HTTPS service from any Silverlight control hosted over HTTP application, you need to put the <domain uri=”http://” />* element inside your <allow-from> element.

I haven't tried this myself but it could be worth a shot. Also be sure to check out the following resources for more details:

• Making a Service Available Across Domain Boundaries
• Configuring Web Service Usage in Silverlight Clients

---

Disabling X.509 certificate validation in .NET

For .NET applications this sample WCF configuration will disable validation of both whether the certificate is trusted and whether it is still valid on the client:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="None"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

An alternative solution is to provide custom logic to validate the X.509 certificate provided by the service. In that case you will have to modifiy the configuration file according to the following:

<system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DisableServiceCertificateValidation">
            <clientCredentials>
                <serviceCertificate>
                    <authentication certificateValidationMode="Custom"
                                    customCertificateValidatorType="MyCertificateValidator, Client"
                                    revocationMode="NoCheck" />
                </serviceCertificate>
            </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://localhost/MyService"
        behaviorConfiguration="DisableServiceCertificateValidation"
        binding="wsHttpBinding"
        contract="MyNamespace.IMyService"
        name="MyServiceWsHttp" />
    </client>
</system.serviceModel>

Then create a class that derives from X509CertificateValidator to implement your custom validation logic.

public class MyCertificateValidator : X509CertificateValidator
{
    public override void Validate(X509Certificate2 certificate)
    {
        // Add custom validation logic
        // Throw an exception to fail validation
    }
}

As always, you can find a more detailed example up on MSDN.