I want to warn users about TLS connections with insecure certificates to a Microsoft.Owin self-hosted app similar to this (paraphrasing).
public class Startup
{
public void Configuration(IAppBuilder appBuilder)
{
HttpConfiguration config = new HttpConfiguration();
config.Routes.MapHttpRoute(
name: "API",
routeTemplate: "{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
appBuilder.UseWebApi(config);
}
}
The ServerCertificateValidationCallback is never used in this situation, so this doesn't work:
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateCertificate);
How is certificate validation done for connections to a Microsoft.Owin application?
That's because ServerCertificateValidationCallback is used to validate "remote" certificate for things like HttpClient, but your app is an HTTP server itself.
Such an app picks up the server certificate from Windows HTTP API, which is usually controlled by the administrators of the machine and you shouldn't attempt to validate.
If your goal is to validate browsers/apps sending requests to your app, check the incoming request via ApiController.Request to see if it contains a client certificate.