- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best ofโฆ
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Return Frist
Admin
"What woulf possibly go false?"
Admin
Checking the validity of TLS certificates is overrated: everyone knows that the only way to make an app secure is to display padlock icons in the GUI. ;-)
Admin
Without context it is impossible to know.... in many newer systems, the validity is determined prior to the payload reaching the application [this was not always the case]. So "dummy out" the internal [now redundant] check can save performance - yes it might be better to refactor out completely.
Admin
I have used a variation of the posted, to override .NETs default check. ๐ฝ๐ช๐ฉ ๐ค๐ฃ๐ก๐ฎ ๐๐จ ๐๐ฃ ๐ค๐ฅ๐ฉ๐๐ค๐ฃ.
Fex consider: An internal server that insists on https, but at best has a self signed cert, and your client is on a different domain.
If IgnoreCertErrors = True Then Net.ServicePointManager.ServerCertificateValidationCallback = AddressOf AcceptAnything
Private Function AcceptAnything() As Boolean Return True End Function
Admin
Not much of a wtf. I have used the same code in the past (in C#) to disable certificate validation in non-production environments
Admin
Even in production environments ignoring certs can be the way to go. Once did work for a client and all servers in their DMZ ignored internal certs because company mandated 6 month max-age certs for all servers cause reasons. Obviously that's rather silly in an isolated micro services cluster where you would have to update dozens of instance constantly, so devs just ignored cert checks after their unlimited certs got deemed to unsafe by some buerocrats. Ah security theater, we all love it.
Admin
In the early days of .NET actually doing proper cert validation correctly was enormously difficult. So yeah, just making it shut up was done.
As a separate matter to the above Another way to view this function is as a
// TODOthat never got touched again.Edit Admin
It could also be that the application used to run on its own and thus had to do its own validation but has been running via a regular web server which does the validation itself, rendering the app's original check useless.