SSL Certificate Check

Discussion in 'ASP .Net' started by =?Utf-8?B?am1obWFpbmU=?=, May 11, 2005.

  1. How do I programmatically read an SSL certificate when using connecting with
    WebClient? I need to verify the domain name matches the certificate and that
    the Expiration Date is valid before I post data to another server. Thanks.
     
    =?Utf-8?B?am1obWFpbmU=?=, May 11, 2005
    #1
    1. Advertising

  2. Hi Jmh,

    Welcome to ASPNET newsgroup.
    From your description, you are using WebClient class to access a certain
    ASP.NET web application which is protected by SSL in IIS. And at the client
    application, you'd like to intercept the validation processing for the
    Server Certificate , yes?

    As for this question, based on my research, when using WebClient (or
    HTTPWebRequest) net components to accessing SSL protected resource, the
    validation process for the Server Certificate if automatically done by the
    default CertificatePolicy(System.Net.DefaultCertificatePolicy). The
    DefaultCertificatePolicy class will always make the connection fail if any
    problems or errors occur. Then, if we need to manually intercept the
    validation process, we can create a custom CertificatePolicy class which
    should inplement the ICertificatePolicy interface,

    #ICertificatePolicy Interface
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
    epolicyclasstopic.asp?frame=true

    this interface contains the "CheckValidationResult" method which return a
    boolean value to indicate whether the Server Certificate is valid. We can
    add our own validation logic in it. The following custom CertificatePolicy
    always return true to let the server certificate pass the validation(no
    error will occur):

    public class MyCertPolicy : System.Net.ICertificatePolicy
    {
    public MyCertPolicy()
    {}

    public bool CheckValidationResult(ServicePoint sp,
    X509Certificate cert,WebRequest req, int problem)
    {

    return true;
    }
    }

    And before we use our WebClient instance to access remote SSL protected
    app, we need to attache our custom CertificatePolicy instance through the
    System.Net.ServicePointManager.CertificatePolicy propety, like:

    =======================
    ServicePointManager.CertificatePolicy = new MyCertificatePolicy();

    try
    {
    WebRequest myRequest = WebRequest.Create(myUri);
    WebResponse myResponse = myRequest.GetResponse();
    ProcessResponse(myResponse);
    myResponse.Close();
    }
    catch(WebException e)
    {
    }
    =================


    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], May 12, 2005
    #2
    1. Advertising

  3. Steven:

    Just to confirm, a failure will occur if:

    * If the domain name does match the certificate, e.g.
    URL is: https://www.microsoft123.com
    Certificate is: https://www.microsoft.com
    The request will fail?

    * If the certificate an expires on 8/1/04 and the current date is 5/12/05,
    the request will fail?

    If both are true, what error message should I look for in my Try/Catch
    statement? Thanks.

    "Steven Cheng[MSFT]" wrote:

    > Hi Jmh,
    >
    > Welcome to ASPNET newsgroup.
    > From your description, you are using WebClient class to access a certain
    > ASP.NET web application which is protected by SSL in IIS. And at the client
    > application, you'd like to intercept the validation processing for the
    > Server Certificate , yes?
    >
    > As for this question, based on my research, when using WebClient (or
    > HTTPWebRequest) net components to accessing SSL protected resource, the
    > validation process for the Server Certificate if automatically done by the
    > default CertificatePolicy(System.Net.DefaultCertificatePolicy). The
    > DefaultCertificatePolicy class will always make the connection fail if any
    > problems or errors occur. Then, if we need to manually intercept the
    > validation process, we can create a custom CertificatePolicy class which
    > should inplement the ICertificatePolicy interface,
    >
    > #ICertificatePolicy Interface
    > http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
    > epolicyclasstopic.asp?frame=true
    >
    > this interface contains the "CheckValidationResult" method which return a
    > boolean value to indicate whether the Server Certificate is valid. We can
    > add our own validation logic in it. The following custom CertificatePolicy
    > always return true to let the server certificate pass the validation(no
    > error will occur):
    >
    > public class MyCertPolicy : System.Net.ICertificatePolicy
    > {
    > public MyCertPolicy()
    > {}
    >
    > public bool CheckValidationResult(ServicePoint sp,
    > X509Certificate cert,WebRequest req, int problem)
    > {
    >
    > return true;
    > }
    > }
    >
    > And before we use our WebClient instance to access remote SSL protected
    > app, we need to attache our custom CertificatePolicy instance through the
    > System.Net.ServicePointManager.CertificatePolicy propety, like:
    >
    > =======================
    > ServicePointManager.CertificatePolicy = new MyCertificatePolicy();
    >
    > try
    > {
    > WebRequest myRequest = WebRequest.Create(myUri);
    > WebResponse myResponse = myRequest.GetResponse();
    > ProcessResponse(myResponse);
    > myResponse.Close();
    > }
    > catch(WebException e)
    > {
    > }
    > =================
    >
    >
    > Hope helps. Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    >
    >
    >
     
    =?Utf-8?B?am1obWFpbmU=?=, May 12, 2005
    #3
  4. Hi Jmh,

    Thanks for your response.
    AS for the try... catch... block ,where do you put them? If you just put
    them around your webClient processing code, I don't think it will provide
    any useful info since any error occur when validting the Server Certificate
    fail will result a System.Net.WebException which only indicate that the
    underlying connection fail to establish.

    So we need to put our Custom CertificatePolicy class and put our
    interception code in the

    public bool CheckValidationResult(ServicePoint sp,
    X509Certificate cert,WebRequest req, int problem)
    {



    method. The "int problem" is just the error code indicate what's the
    actual error that occurs. Following is the error code---error info mapping
    table:

    public enum CertificateProblem : long
    {
    CertEXPIRED = 0x800B0101,
    CertVALIDITYPERIODNESTING = 0x800B0102,
    CertROLE = 0x800B0103,
    CertPATHLENCONST = 0x800B0104,
    CertCRITICAL = 0x800B0105,
    CertPURPOSE = 0x800B0106,
    CertISSUERCHAINING = 0x800B0107,
    CertMALFORMED = 0x800B0108,
    CertUNTRUSTEDROOT = 0x800B0109,
    CertCHAINING = 0x800B010A,
    CertREVOKED = 0x800B010C,
    CertUNTRUSTEDTESTROOT = 0x800B010D,
    CertREVOCATION_FAILURE = 0x800B010E,
    CertCN_NO_MATCH = 0x800B010F,
    CertWRONG_USAGE = 0x800B0110,
    CertUNTRUSTEDCA = 0x800B0112
    }


    you can also find it in the MSDN document I mentioned in the previous
    message:

    #ICertificatePolicy Interface
    http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
    epolicyclasstopic.asp?frame=true

    If anything else unclear, please feel free to post here. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], May 13, 2005
    #4
  5. =?Utf-8?B?am1obWFpbmU=?=

    Joined:
    Jun 25, 2009
    Messages:
    1
    Validating Certificate at client side in .net code

    So,
    here we can validate any certificate ?
    Also. we can validate certificate issued by verisign and other CA ?

    Thanks.
     
    , Jun 25, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R.A.

    ssl certificate

    R.A., May 12, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    450
    MattB
    May 12, 2004
  2. Curt_C [MVP]
    Replies:
    3
    Views:
    5,201
  3. John Nagle
    Replies:
    11
    Views:
    658
    =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=
    Dec 14, 2006
  4. Helena Cai
    Replies:
    0
    Views:
    439
    Helena Cai
    Aug 29, 2004
  5. Replies:
    0
    Views:
    445
Loading...

Share This Page