Subscribe

ServicePointManager.ServerCertificateValidationCallback Security Flaw In sdk-5.4P1

In netapp-manageability-sdk-5.4P1-dotnet-bindings\lib\common\netapp-manage.dll, the NaServer class has the following code:

 

// NetApp.NaServer

static NaServer()

{

                NaServer.logger = LogManager.GetLogger(typeof(NaServer));

                NaServer.NMSDK_VERSION = "5.3.1";

                NaServer.NMSDK_PLATFORM = NaServer.GetPlatformInfo();

                NaServer.NMSDK_LANGUAGE = "DotNet";

                NaServer.NMSDK_BINDINGS = "1";

                NaServer.InitializeSecurity();

}

 

private static void InitializeSecurity()

{

                ServicePointManager.ServerCertificateValidationCallback = (RemoteCertificateValidationCallback)Delegate.Combine(ServicePointManager.ServerCertificateValidationCallback, new RemoteCertificateValidationCallback(NaServer.ValidateServerCertificate));

}

 

private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

{

                return sender.GetType().ToString() == "System.Net.HttpWebRequest";

}

 

(Note, this code was simply gathered by using ILSpy on the DLL, so it may not be exactly the same as the source code.)

 

Please note that the ServicePointManager is global for the entire process.  Therefore, when you attach a delegate method to the ServicePointManager.ServerCertificateValidationCallback, it applies to the entire process.  If my process now makes a web request to any Url with an invalid SSL certificate, your code will cause it to ignore the error.

 

To apply the handler to just your web requests, consider setting 'ConnectionGroupName', or perhaps just the 'UserAgent' property of the object sender parameter being passed in (obviously make sure it's a WebRequest type and cast it).  If one of those properties matches your custom value, then you can probably be sure that the request was generated by your code and you can choose to handle the certificate value any way you want.  However, if it does not match, you should:

 

return sslPolicyErrors == System.Net.Security.SslPolicyErrors.None;

 

Thank you in advance.