Now Reading: Dynamics 365 Business Central: HttpClient and remote certificate validation future changes.
-
01
Dynamics 365 Business Central: HttpClient and remote certificate validation future changes.
Dynamics 365 Business Central: HttpClient and remote certificate validation future changes.
I think that everyone of you know that the AL HttpClient data type provides a data type for sending HTTP requests and receiving HTTP responses from a resource identified by a URI.
A very basic piece of AL code that sends a GET request to an endpoint and return a response can be defined as follows:
procedure GetResponseFromUrl(URL: Text): Text
var
HttpClient: HttpClient;
HttpResponseMessage: HttpResponseMessage;
Response: Text;
begin
HttpClient.Get(URL, HttpResponseMessage);
HttpResponseMessage.Content.ReadAs(Response);
Exit(Response);
end;The AL HttpClient object relies on the standard .NET HttpClient data type.
When you’re using the HttpClient object in C# over https, a certificate validation is usually performed (unless you disable or change it).
But what happens in Dynamics 365 Business Central?
If you try to connect with the above AL code via HTTPS to a remote site where a certificate is expired or invalid (to test that you can use the public endpoints provided by the BadSSL.com website, for example https://untrusted-root.badssl.com/), with Dynamics 365 Business Central on-premise you will have an error like the following:
The SSL connection could not be established, see inner exception.
The remote certificate is invalid because…
With Dynamics 365 Business Central online, you will have the following:
No errors! The remote url is successfully called by the HttpClient object, without any warnings related to the certificate validation, and the content of the destination page (or the result of the remote call) is returned to the client without problems.
It seems that at the moment Dynamics 365 Business Central online is not doing validation for remote certificates.
Microsoft seems to have accepted the issue reported and probably the HttpClient behavior will change with Business Central version 25.x.
Please remember that in the future a full remote certificate validation check could break some of your existing connections if your third-party endpoint will not have a valid SSL certificate in place (what works today will be an error in v25.x).
The performance considerations of this new future setting could cause additional delay when establishing the connection with the remote endpoint (remember that if you call an external web service using the HttpClient module in AL, the Business Central Server blocks the execution of AL code for the session until the call completes. ), but for sure the new behavior will be more secure.
Original Post https://demiliani.com/2024/09/23/dynamics-365-business-central-httpclient-and-remote-certificate-validation-future-changes/
