My latest site has a web service call via HTTPS in it. Works fine on my workstation and works fine on my dev box. Uploaded it to Rackspace and it doesn't work. OK, I investigate the error and I find out that Rackspace's Cloud uses a modified medium trust environment. Understandable. I've now configured my site to load up the Rackspace trust policy so that I can test my sites to work with this. Now that I have done that, my site no longer works.
ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
This is apparently a no-no in a medium trust (or even in Rackspace's modified medium trust) environment. In case you don't know...this code line tells the server that the remote server's SSL is good no matter what.
So basically what I need...how do I make my SOAP call with a bad remote SSL? The reason that the remote SSL is 'bad' is because it is self-signed. They claim they do this so they don't have to pass the cost of the SSL cert on to their customers (I suggested that they stop pricing SSL through Verisign!). They self-sign all of their client certs, so I guess they thought they'd just self-sign their server cert. They sent me their CA and told me to install it on our server. I explained to them that my hosting provider wouldn't allow it. (Honestly? I never called Rackspace on this one since I figured they'd say no anyways)
As an alternative to that, wIth all the time I've spent trying to do this, my boss has said he'll just buy an SSL cert for these guys so I can get on with the project. So I was wondering if a SOAP calls uses a self-signed client cert, is there any problems connecting to server with a non-self signed SSL?
1 answers
you don't need to buy a cert. take the certificate presented to the SSL handshake, and add it to your computer's trusted root CA and enterprise trust cert store (make sure it's applied to the computer store and not something else). this way when it does the validation the cert that signed it is in it's trusted store. the other thing you'll need to make sure of is that the cert is for the machine you're connecting to. If the cert presents a different host name, you can use that host name, and edit your c:\windows\system32\drivers\etc\hosts file and add an alias to that machine so that your request uses the same name for the server name as is presented in the certificate.
answered 2 years ago by:
2309
84
The problem is that the site is hosted in the RackSpace Cloud. I don't have access to the 'server' to install their CA cert nor to edit the hosts file.