ignore certificate errors with HTTPS?

May 21, 2013 at 5:08 PM
Is there a way to ignore https exception (security exception like untrusted self-signed certificate would throw) from the SDK? This is more for testing purpose so it doesn't block testing under test environment.

Even after trusting all certificates in the path of the original certificate (on the test machine) it would throw 12175. I know there is an issue with the certificate since it shows as red in the browser. Anyhow let me know if there is a workaround.
Jun 25, 2013 at 10:08 PM
I am having the same problem with certificates too. Is there an option like with cURL were a "-k" will ignore the certificate?
Jun 27, 2013 at 5:35 AM
Is there any update on this issue? I am also having the same problem.
Jun 27, 2013 at 6:06 PM
Hi everyone,

I started looking into this yesterday. What platform are you running on? I'm assuming Windows desktop, not store applications. I found a way with WinHttp, which we build on top of for Windows desktop applications, to suppress some of the certificate errors using some of the options in WINHTTP_OPTION_SECURITY_FLAGS. However I'm not completely sure yet that will suppress them all. I'm currently following up directly with the WinHttp team internally in Microsoft and will respond back here once I find out.

Thanks,
Steve
Jul 2, 2013 at 7:23 AM
Thanks Steve.
                    Yes, I am using Windows Desktop App. How can we set WINHTTP_OPTION_SECURITY_FLAGS option in Casablanca? Is there any property in http_client or http_request which provide a handle to the WinHTTP ?
Thanks/Sony
Jul 4, 2013 at 1:35 AM
Hi Sony,

No right now we don't have the ability to access the underlying WinHTTP request handle. In general we have been trying to keep the Casablanca public API clean of any platform specific details.

I figured out all the server certificate verification options that can be disabled with WinHTTP. I put together a quick implementation and it compiles and runs through the tests fine, but I haven't had a chance to really extensively try it out yet. Add the following code to http_client.cpp at line 1375.
// NOTE: This code turns ignores common server certificate verification errors.
bool ignoreServerCertErrors = true;
if(ignoreServerCertErrors)
{
    DWORD data = SECURITY_FLAG_IGNORE_UNKNOWN_CA 
               | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 
               | SECURITY_FLAG_IGNORE_CERT_CN_INVALID 
               | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;

    auto result = WinHttpSetOption(
        winhttp_context->m_request_handle,
        WINHTTP_OPTION_SECURITY_FLAGS,
        &data,
        sizeof(data));
    if(!result)
    {
        request->report_error(U("Error setting WinHttp to ignore server certification validation errors."));
        return;
    }
}
I'm going to be out of the office for the rest of the week due to the 4th of July, but try this out and let me know if it works for you. If we add capability like this to Casablanca it probably would be with a general purpose option to the http client configuration to ignore certificate verification errors.

Thanks,
Steve
Jul 5, 2013 at 11:00 AM
Thanks Steve! Yes the above code works!!

It is able to bypass the Certificate Errors!
Jul 16, 2013 at 5:40 PM
FYI I opened a feature request for this, vote for it is this is a blocking issue for you.

Thanks,
Steve
Jul 16, 2013 at 6:22 PM
Hi Steve, thanks for working with us on this issue.

I am looking for the http_client.cpp file and only find http_win7.cpp file with a comment that it is the http_client.cpp file. Is http_win7.cpp file the correct file to add your above code to and if it is, the last line number is 1362.

Thanks, Curt
Jul 16, 2013 at 6:52 PM
Hi Curt,

Yes with our latest release the line numbers have changed :). We separated out the original http_client.cpp file into multiple files for each platform for better maintainability. http_win7.cpp is the correct file and the code should now be insert at line 560.

Thanks,
Steve
Aug 22, 2013 at 6:02 PM
Just to let everyone know this feature has been added with the 1.2.0 release of Casablanca. In the http_client_config there is an option to turn off certificate validation (set_validate_certificates), which is on by default.

Steve