c# - Randomly throwing "Could not establish trust relationship for the SSL/TLS secure channel" -

i know there several threads about this, think case might different.

our application needs send requests 2 https url's: 1 of them recaptcha service, , government service brazil (if brazil, know sefaz , nf-e means :d)

sometimes, both stops working. exception, title says, "could not establish trust relationship ssl/tls secure channel". when 1 of them starts throwing exception, other starts throwing too, , vice versa: while 1 of them works, other works too.

everything running fine until days ago when exception started throwing randomly. exception throws in our production server , in our internal development server.

so, there 2 services (recaptcha , governement service) stops working apparently @ same time in both servers, apparently randomly. stop working , start working again.

the ca root different in both cases. 1 uses geotrust global ca , other uses icp-brasil.

based on thread, thought maybe clock wrong, apparently isn't. check constantly.

i know solution:

 servicepointmanager.servercertificatevalidationcallback =     ((sender, certificate, chain, sslpolicyerrors) => true); 

but doesn't safe me. there problem using solutions?

we use this:

servicepointmanager.servercertificatevalidationcallback =      ((sender, cert, chain, errors) =>  cert.subject.contains("servername")); 

but curious why exception throws apparently randomly. might use if don't solve in "proper" fashion.

so, ran out of ideas. our service runs on windows server 2008r2 , iis 7.5. else should for?

servicepointmanager.servercertificatevalidationcallback = ((sender, certificate, chain, sslpolicyerrors) => true);

but doesn't safe me. there problem using solutions?

uhm, yes! this, you're allowing every server certificate server think you're speaking with.

same goes this:

servicepointmanager.servercertificatevalidationcallback =  ((sender, cert, chain, errors) =>  cert.subject.contains("servername")); 

only validating subject won't enough here. should @ least apply more criteria here, e.g. getserialnumberstring(), getpublickeystring() , getcerthashstring() verify correctness of certificate. but imho: don't in live environment - never ever! - development , testing purposes.

regarding main error - part of this answer linked might cause of issue: when both certificates stop working @ same time, it's issue certificate chain. 1 part in chain, both certificates use might unavailable, due chain of trust broken, , secure channel cannot established.

as far know, should able override servercertificatevalidationcallback, log certificate chain, and still return basic validation afterwards. closer errors source.