Login/Register
FtpWebRequest "The remote certificate is invalid according to the validation procedure"
Asked Answered
.netsslftpcertificateftpwebrequest
E

4

10

I have a .NET client application that tries to ftp over a file to an FTP site which has a self-signed TLS/SSL certificate. This FTP site is running on Windows 7 Enterprise, IIS 7. I am getting the following error:

The remote certificate is invalid according to the validation procedure

I have tried installing the certificate in the trusted root certificates but that still does not work.

I have used the delegate call back in the code that is mentioned some of the posts here - it works. But I do not want to use that in my production code.

Also in production some of our customers are using self-signed certificates.

Any ideas on how to fix this issue?

Elliott answered 20/7, 2012 at 20:0 Comment(0)
A
10

You have to overwrite the certificate checks so that they will always be considered good. That won't prevent the channel to remain SSL protected.

Uri target = new Uri("ftp://yourUri");
string fileName = @"fullPathOfYourFile";
FtpWebRequest request = (FtpWebRequest)WebRequest.Create(target);
request.Method = WebRequestMethods.Ftp.UploadFile;
request.Credentials = new NetworkCredential("user", "password");
request.EnableSsl = true;

//overwrite the certificate checks
ServicePointManager.ServerCertificateValidationCallback = 
                      (s, certificate, chain, sslPolicyErrors) => true;

// Copy the contents of the file to the request stream
//....
Amygdalin answered 11/5, 2018 at 12:36 Comment(1)
While this "works", it's not secure. You should verify the certificate, not blindly accept any. For a way to validate the certificate, see my answer.Bookshelf
B
10

The most voted answer by @Luca blindly accepts any certificate. That's a security flaw.

When implementing ServicePointManager.ServerCertificateValidation callback one should validate the certificate. E.g. by checking certificate's hash against a known value:

using System.Net;
using System.Net.Security;
using System.Security.Cryptography;

ServicePointManager.ServerCertificateValidationCallback +=
    (sender, certificate, chain, errors) =>
    {
        return
            (errors == SslPolicyErrors.None) ||
            certificate.GetCertHashString(HashAlgorithmName.SHA256).Equals(
                "EB8E0B28AE064ED58CBED9DAEB46CFEB3BD7ECA677...");
    };

For the X509Certificate.GetCertHashString overload that takes HashAlgorithmName.SHA256, you need .NET 4.8. On older versions use the parameter-less overload that returns an SHA-1 hash.

Based on Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?

For VB.NET version of the code, see Accept self-signed TLS/SSL certificate in VB.NET.

Bookshelf answered 24/3, 2021 at 7:0 Comment(0)
G
1

You also get this error if you try to connect to IP address instead of domain name. Since certificate is issued to the domain name, IP address wont work.

Gentile answered 5/12, 2017 at 17:53 Comment(0)
R
0

I had the same issue via .NET and the certificate root and chain was trusted by my account and even the local machine account. So the cert was golden.

For me, I was using the wrong hostname. I was using a fully qualified name (and was getting to the correct place), but the cert was actually issued to a different alias. So make sure your server name matches exactly what's on the certificate.

Check this article, that's how I found the answer... Maybe the event subscription is what you need too...

http://www.limilabs.com/blog/the-remote-certificate-is-invalid-according-to-the-validation-procedure

Roscoeroscommon answered 21/3, 2013 at 23:40 Comment(1)
It turned out I had a similar problem. The FtpWebRequest was using an IP address ("1.2.3.4") and of course the cert was a wildcard one issued to the domain name ("*.example.com"). Once I switched to using the domain name in my FtpWebSession this error went away.Athapaskan

© 2022 - 2024 — McMap. All rights reserved.