Hello list! I have a requirement to relax SSL certification validation on certain web requests in my application. I know that I can do this by setting a custom delegate on the ServicePointManager.ServerCertificateValidationCallback property - which works fine.
The problem I have is that I am not in full control of the host application - I am writing a plugin package that gets hosted in a 3rd party IIS application. Is there a way I can achieve what I'm after whilst still remaining a 'good citizen' in the host app? I have written the delegate so that it only performs my custom validation when it matches the request URI to the URI I expect (otherwise performing the default check), and I only register the callback for as long as I need it during the execution of a single method before setting it back to the original value. Even so, this is still vulnerable to race conditions if there is another request executing concurrently, and my code would be vulnerable to other code overriding the certificate validation callback in a similar manner. Any suggestions on how I can make this more robust? Examples and samples for this API on the Internet are mostly shocking, encouraging developers to just set the callback and return "true" (ie. no validation) with no discussion of the pitfalls this entails. Cheers, Joe.
