Forum Xamarin.iOS

HttpClientHandler.ServerCertificateCustomValidationCallback receives empty certChain

BartLpBartLp Member

Hello everyone,

I'm working on a cross platform mobile app that uses HttpClient API for communication with a remote server. To ensure TLS connection with a proper server, I provide ServerCertificateCustomValidationCallback routine with certificate pinning.

This used to work OK on both Android and iOS prior the latest Visual Studio 2019 update from 16.4.6 to 16.5 (and associated updates to mono mac and xamarin ios). Now on iOS, the routine receives "certChain" argument that contains 0 members in ChainElements collection (so I cannot check the issuer certificate). The "certificate" argument contains server's certificate as usual.

Things run normally on Android devices (certChain has both issuer and the server cert).

Have anyone else encountered similar problem? I'll appreciate any help.

Tagged:

Answers

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

    EDIT:
    Ok, so I fixed the issue.

    At first I had to change event handler declaration from this (deprecated/old?)
    bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain certChain, SslPolicyErrors sslPolicyErrors)
    to that one (new?)
    bool ValidateServerCertificate(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)

    However, on iOS the chain was still empty, so I had to add this line to make it work:
    if (chain.ChainElements.Count == 0) chain.Build(certificate);

    It's obviously a workaround, but it works.

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

    EDIT:
    Ok, so I fixed the issue.

    At first I had to change event handler declaration from this (deprecated/old?)
    bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain certChain, SslPolicyErrors sslPolicyErrors)
    to that one (new?)
    bool ValidateServerCertificate(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)

    However, on iOS the chain was still empty, so I had to add this line to make it work:
    if (chain.ChainElements.Count == 0) chain.Build(certificate);

    It's obviously a workaround, but it works.

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

    EDIT:
    Ok, so I fixed the issue.

    At first I had to change event handler declaration from this (deprecated/old?)
    bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain certChain, SslPolicyErrors sslPolicyErrors)
    to that one (new?)
    bool ValidateServerCertificate(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)

    However, on iOS the chain was still empty, so I had to add this line to make it work:
    if (chain.ChainElements.Count == 0) chain.Build(certificate);

    It's obviously a workaround, but it works.

  • markownikmarkownik Member

    Ah, a fellow developer, with exact same problem. I think it may be connected with a httpclient implementation change that happened sometime recently.

    I'm also trying to work on a solution, as for now this bug breaks certificate pinning procedure on ios platform in my app (on android it works just fine)

    EDIT:
    Ok, so I fixed the issue.

    At first I had to change event handler declaration from this (deprecated/old?)
    bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain certChain, SslPolicyErrors sslPolicyErrors)
    to that one (new?)
    bool ValidateServerCertificate(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors errors)

    However, on iOS the chain was still empty, so I had to add this line to make it work:
    if (chain.ChainElements.Count == 0) chain.Build(certificate);

    It's obviously a workaround, but it works.

Sign In or Register to comment.