“Hey, apparently, the SSL cert on our web-service expired… in 2013.”

Laura’s company had a web-service that provided most of their business logic, and managed a suite of clients for interacting with that service. Those clients definitely used SSL to make calls to that web-service. And Laura knew that there were a bunch of calls to ValidateServerCertificate as part of the handshaking process, so they were definitely validating it, right?

private static bool ValidateServerCertificate(
  object sender,
  System.Security.Cryptography.X509Certificates.X509Certificate certificate,
  System.Security.Cryptography.X509Certificates.X509Chain chain,
  System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    return true;
}

Well, that’s one kind of validation rule. It’s guaranteed to never fail, if nothing else.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.