Proposal: HttpClientHandler.DangerousAcceptAnyServerCertificateValidator property

[stephentoub]

We have what in my mind is a big problem with HttpClient in 2.0: to use HttpClient with self-signed certs (very common in testing environments), you need to hook up a ServerCertificateCustomValidationCallback; that will override the default verification and can be made to always return true. We do this in all of our HTTP testing in corefx, ASP.NET did it in theirs, etc.

Unfortunately, this doesn't work on macOS nor on several Linux distros. The problem is that libcurl only supports the necessary callbacks to enable this when using an OpenSSL backend, and if such a backend isn't in use, we can't enable this delegate callback and thus throw a PlatformNotSupportedException when trying to hook up the delegate.

As it stands today, basically none of our https testing for HttpClient is running on macOS/CentOS/RHEL/Fedora, ASP.NET recently had to switch away from HttpClient for their testing because of this, etc.

Proposal:
We add the following property to HttpClientHandler:
public class HttpClientHandler
{
public bool ValidateServerCertificate { get; set; } = true;
...
}
The default behavior is as things are today. But if you set ValidateServerCertificate to false, we disable verification, both built-in and custom via the callback. We should be able to do that on all Unix's via libcurl's https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html, and we can do so on Windows simply by substituting a delegate { return true; } delegate (or tweak a setting if there is one).

Updated proposal (5/13/2017):
We add the following property to HttpClientHandler:

public class HttpClientHandler
{
    public static Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> DangerousAcceptAllCertificatesValidator { get; } = delegate { return true; };
    ...
}

A developer can use this delegate with

handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAllCertificatesValidator;

For platforms that already support the callback, nothing need change, although they could be optimized to specially recognize this delegate instance to avoid the callback needing to be invoked. For platforms that don't support the callback, we can use object equality to check for this delegate instance: if any other instance is supplied, we continue to throw a PNSE, but if this instance is supplied, we flip the appropriate options so that certificates are not validated and all are accepted.

cc: @bartonjs, @davidsh, @CesarBS, @CIPop

[blowdart]

ValidateServerCertificate to false, we disable verification, both built-in and custom via the callback

Oh heck no. This seems a nightmare scenario, because people are just going to turn it on and not think, and deploy like that.

Surely, rather than use this nuclear option, we could, when a validation callback is configured, we could build the chain manually, even if it is slow

[stephentoub]

when a validation callback is configured, we could build the chain manually

When? We don't even get a chance; libcurl doesn't call back to us as part of the handshake.

people are just going to turn it on and not think, and deploy like that

How is that any different than someone using delegate { return true; } today on Windows?

[blowdart]

It's equally as bad in implementation, but now you've added two ways to completely bypass security, instead of one, which is well know.

This is a stack overflow cut and paste problem. People search for "My self signed cert doesn't validate" on stack overflow, paste the delegate in, then deploy to live. Now you've made it worse in that there are two loaded guns, rather than one.

The "right" way to go about this is find a way to fix the call backs, rather than say "Sod security, let's just turn it off". If it's impossible in curl, then maybe it's time to look at other options.

[stephentoub]

If it's impossible in curl, then maybe it's time to look at other options.

We are for post-2.0. In the meantime, there's no way. And this is a huge gap in functionality. I see this as a shipblocker. And I don't agree with the two-ways-is-worse-than-one argument, nor do I believe we should hold back important functionality because we're afraid folks may misuse it.

[blowdart]

I'll be honest I'd consider adding this a security blocking item for shipping too.

[blowdart]

Are there any numbers on customer demand? The justification right now is "So we can have unit tests work", which isn't enough for a dangerous feature.

[stephentoub]

Are there any numbers on customer demand?

winhttp supports this via the WINHTTP_OPTION_SECURITY_FLAGS option.
libcurl supports this via the CURLOPT_SSL_VERIFYPEER option.
golang supports this via the InsecureSkipVerify option.
python supports this via _create_unverified_https_context.
And so on.

A quick search on GitHub for CURLOPT_SSL_VERIFYPEER returns ~710K hits, and from quick glance, most of them are setting it to 0/false (which makes sense, given that the default is 1/true).

The justification right now is "So we can have unit tests work", which isn't enough for a dangerous feature.

Not just "we." But, sure, in a world of microservices, who cares about testing.

[bartonjs]

@blowdart See feedback on #17723. Granted, some of them want the callback to actually work, which we can't do without the non-existent libcurl callback.

[stephentoub]

I'll be honest I'd consider adding this a security blocking item for shipping too.

You're kidding, right? This is fine:
handler.ServerCertificateCustomValidationCallback = delegate { return true; }
but this is somehow a security shipstopper:
handler.ValidateServerCertificate = false;
even though they have the exact same impact? Come on.

[blowdart]

The call back has an actual purpose, on platforms where it works.

Making it equivalent to your new flag for this argument is disingenuous. Your boolean flag is "Turn off all security on HTTPS and get up to ramming speed", and once added it'll never go away.

[stephentoub]

Making it equivalent to your new flag for this argument is disingenuous.

Search for ServerCertificateValidationCallback on GitHub, and you'll find a majority of the ~55K hits setting it to the equivalent of delegate { return true; }. Can it be used for other things? Of course. But it's often used for this.

[blowdart]

And that use introduces security vulnerabilities. You're in agreement on that, right? As well as in agreement stack overflow hardly illustrates best practice in a lot of cases.

Validation callbacks are a crowbar, they have legitimate uses, your new flag is, well, a big spiky club where the possibility of hurting people with it has gone up by an order of magnitude because it's inherently unsafe.

[stephentoub]

And that use introduces security vulnerabilities. You're in agreement on that, right?

Inherent security vulnerabilities? No, I don't agree. When used to disable security when it shouldn't be disabled? Sure. But that's not a flaw in the framework, that's a flaw in the app explicitly doing something it shouldn't be doing, and sometimes you need to give users that club along with a warning that it's important they know what they're doing. We can document it to high heaven, similar or more so than, for example, libcurl's docs do at https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html.

[blowdart]

Like people read docs :)

How about doing this another way round? How about giving a static validation callback, "DontCheckCertificateValidityBecauseIHateSecurity()", which just returns true as you say everyone does. Then that, because it's static, could be looked, and the horrible, screw you settings, enabled on platforms that don't do callbacks.

That way there's not another API for people to look for in a security code review, and which we won't remove, because we don't want to break people, and, when, post 2.0, you get callbacks working as expected on all platforms, everyone is happy. It protects the folks who want callbacks for actual checking, and for those who want to just turn everything off, because ramming speed.