Validate Certificate Revocation List(CRL) with HttpClient in c# .NET

So, you need to make sure the sites you talk to haven’t had their certificates revoked. Well, by default .NET doesn’t do this. Mainly because I think it is rare and it can be slow. Yes yes, caching, blah blah, but the first time and every cache refresh its slower.

Anyway, here is code to handle it.

 

using System;
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;
 
namespace SecureHTTPDemo
{
    static class Program
    {
        private const string Revokedurl = "https://revoked.badssl.com/";
        private const string ExpiredUrl = "https://expired.badssl.com/";
        private const string SelfSignedUrl = "https://self-signed.badssl.com/";
        private const string UntrustedRootUrl = "https://untrusted-root.badssl.com/";
 
        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        [STAThread]
        public static void Main(string[] args) => Main().GetAwaiter().GetResult();
 
 
        static  async Task Main()
        {
            //check revoked without crl checks.
            await FetchPageSecurelyTest("Revoked", Revokedurl);
            await FetchPageSecurelyTest("Revoked", Revokedurl, true, true);
            //check expired
            await FetchPageSecurelyTest("Expired", ExpiredUrl,false,true);
 
            //check self signed
            await FetchPageSecurelyTest("Self signed", SelfSignedUrl, false, true);
            //check untrusted root
            await FetchPageSecurelyTest("Bad root", UntrustedRootUrl, false, true);
 
            Console.WriteLine("Any key to quit");
            Console.ReadKey();
        }
 
        static async Task FetchPageSecurelyTest(string test, string url, bool enforceCRL = false,
            bool expectException = false)
        {
            var result = await FetchPageSecurely(url, enforceCRL, expectException);
            Console.WriteLine(result ? $"{test} success." : $"{test} was not successful.");
        }
 
        static async Task<bool> FetchPageSecurely( string url,bool enforceCRL = false, bool expectException=false)
        {
            try
            {
                ServicePointManager.CheckCertificateRevocationList = enforceCRL;
                var fetcher = new HttpClient();
                var result = await fetcher.GetStringAsync(url);
                if (expectException) return false;
                var resultValid = !string.IsNullOrEmpty(result);
                return resultValid;
            }
            catch (Exception ex)
            {
                if (expectException) return true;
                Console.WriteLine("Exception unexpected:" + ex.Message);
                return false;
            }
        }
 
    }
 
    public class BriansSecureWebHandler : WebRequestHandler
    {
        public BriansSecureWebHandler()
        {
            
 
        }
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.