Introduction
In recent updates, starting with version 25, the HttpClient has become stringent on SSL certificate verification. While this change enhances security, it has inadvertently created significant challenges for many users. This blog post delves into the issues arising from this update.
The Issue
The strict SSL certificate verification introduced in HttpClient v25 has caught many users off guard. Typically expected for breaking changes and seems to have been implemented hastily following a request on GitHub.
As a result, the update has impacted numerous connections that do not use certificates issued by trusted Certificate Authorities (CAs). This has left users, especially those leveraging self-signed certificates or certificates issued by private CAs, facing connectivity issues.
Impacted Scenarios
Several scenarios are now unsupported due to this update, including:
- Many API’s, including government ones, which use certificates issued by their own CA.
- Self-signed certificates often used in local services or development environments.
Root of the Problem
The core of the problem lies in the fact that the certificate used by many endpoints is issued by authorities not recognized in the trusted store. This leads to the remote certificate validation error, which breaks the connection.
Proposed Solutions
To mitigate these issues, the following actions are strongly recommended:
- Rollback the Change: Restore the previous behavior of HttpClient as an immediate step to alleviate the current disruptions.
- Implement SSL Override Feature: Introduce a feature similar to .Net’s ability to override standard SSL checks, allowing users to accept self-signed certificates or add a trusted certificate chain.
- Proper Documentation and Adaptation Period: Properly document such changes and provide a sufficient adaptation period, ideally one year, to ensure users can adjust their configurations.
Conclusion
The update to HttpClient’s SSL certificate verification aims to enhance security but has inadvertently caused widespread disruptions. By implementing the proposed solutions, we can strike a balance between security and functionality, ensuring users can maintain their critical connections without compromising on safety.
GitHub Issue:
SSL Connection fails after update to version 25 (25.0.23364.25412) · Issue #7879 · microsoft/AL
Additional Resources For further reading on this topic, check out also Stefano Demiliani’s blog post on Dynamics 365 Business Central and Remote Certificate Validation.
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments