Hammock, Mono, and HTTPS

Posted on Wed 12 January 2011 in General

If you're using Hammock for REST under Mono and attempt to talk to an HTTPS endpoint, you may be surprised to see that it doesn't appear to work. This is because the HTTPS negotiation is failing due to the fact that Mono doesn't trust the root certificate of the site. (nor any other root certificates out of the box).

There are two main reasons not to include "defaults" root certificates in Mono.

  1. Digital certificates are, like many digital files, copyrightable. This means that there are restrictions on how the roots certificates can be distributed.
  2. We aren't in the business to decide on who you are going to trust. Certificates Authorities exists all around the world. The ones best suited to you aren't necessarily the ones best suited for everybody else and having a terribly long list of "trusted" roots isn't a very secure solution.

There are a few solutions to this that you can employ. You can:

  • Seek out, download and install the individual root certificates that matter to you.
  • Use the mozroots tool to download all of Mozilla's trusted root certicicates.
  • Implement your own ICertificatePolicy in code to determine which certificates to accept.

If you want to write your own policy, you need to hook it into the ServicePointManager class:

   System.Net.ServicePointManager.CertificatePolicy = new
AcceptDodgyCertificatePolicy();

Be aware, that setting affects all of the web requests in your app that use the System.Net stack either explicitly or under the covers (as Hammock does), so make sure you know what you're doing before you go messing with it.