question

AmyZ-5475 avatar image
0 Votes"
AmyZ-5475 asked AmyZ-5475 commented

Is disabling Validate certificate chain safe ?

Hi, we encounter such error while test calling backend service from APIM management plane and already found a workaround.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
"The remote certificate is invalid according to the validation procedure
118317-image.png

Workaround :
Disable Validate certificate chain and Validate certificate name from Backends > Properties , the error is gone.


One question here
Is the workaround safe ? Azure resource shows http in protocol which concerns us if this way uses insecure HTTP instead of HTTPS for data transmission.
118303-image.png

Need your advice, thank you

azure-api-management
image.png (25.0 KiB)
image.png (26.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cooldadtx avatar image
1 Vote"
cooldadtx answered AmyZ-5475 commented

Depends. Do you trust the cert chain up to the root? If you do then it is safe to turn it off and it'll speed up things a little. However that also means that if somebody somewhere along the way injects a bogus cert in the chain (not sure how'd they actually do that on APIM though) then you'd never know. Personally I think you should figure out why the higher level cert(s) is/aren't valid. Did somebody use the wrong one? Have you been hacked? Disabling validation chains should be a last resort and only perhaps in sandbox/test environments where you're dealing with non-sensitive data.

You definitely don't want to use HTTP in your APIs (or websites either). The docs say this can be either http or https so you should be using https. Otherwise the cert validation isn't useful.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@cooldadtx thank you for pointing out the risk. Our team will check to see how to solve the original problem. Here's the full story of this is-azure-private-dns-the-only-way-to-solve-interna.html .


0 Votes 0 ·