SSL Certificate Check

G

Guest

How do I programmatically read an SSL certificate when using connecting with
WebClient? I need to verify the domain name matches the certificate and that
the Expiration Date is valid before I post data to another server. Thanks.
 
S

Steven Cheng[MSFT]

Hi Jmh,

Welcome to ASPNET newsgroup.
From your description, you are using WebClient class to access a certain
ASP.NET web application which is protected by SSL in IIS. And at the client
application, you'd like to intercept the validation processing for the
Server Certificate , yes?

As for this question, based on my research, when using WebClient (or
HTTPWebRequest) net components to accessing SSL protected resource, the
validation process for the Server Certificate if automatically done by the
default CertificatePolicy(System.Net.DefaultCertificatePolicy). The
DefaultCertificatePolicy class will always make the connection fail if any
problems or errors occur. Then, if we need to manually intercept the
validation process, we can create a custom CertificatePolicy class which
should inplement the ICertificatePolicy interface,

#ICertificatePolicy Interface
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
epolicyclasstopic.asp?frame=true

this interface contains the "CheckValidationResult" method which return a
boolean value to indicate whether the Server Certificate is valid. We can
add our own validation logic in it. The following custom CertificatePolicy
always return true to let the server certificate pass the validation(no
error will occur):

public class MyCertPolicy : System.Net.ICertificatePolicy
{
public MyCertPolicy()
{}

public bool CheckValidationResult(ServicePoint sp,
X509Certificate cert,WebRequest req, int problem)
{

return true;
}
}

And before we use our WebClient instance to access remote SSL protected
app, we need to attache our custom CertificatePolicy instance through the
System.Net.ServicePointManager.CertificatePolicy propety, like:

=======================
ServicePointManager.CertificatePolicy = new MyCertificatePolicy();

try
{
WebRequest myRequest = WebRequest.Create(myUri);
WebResponse myResponse = myRequest.GetResponse();
ProcessResponse(myResponse);
myResponse.Close();
}
catch(WebException e)
{
}
=================


Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Steven:

Just to confirm, a failure will occur if:

* If the domain name does match the certificate, e.g.
URL is: https://www.microsoft123.com
Certificate is: https://www.microsoft.com
The request will fail?

* If the certificate an expires on 8/1/04 and the current date is 5/12/05,
the request will fail?

If both are true, what error message should I look for in my Try/Catch
statement? Thanks.
 
S

Steven Cheng[MSFT]

Hi Jmh,

Thanks for your response.
AS for the try... catch... block ,where do you put them? If you just put
them around your webClient processing code, I don't think it will provide
any useful info since any error occur when validting the Server Certificate
fail will result a System.Net.WebException which only indicate that the
underlying connection fail to establish.

So we need to put our Custom CertificatePolicy class and put our
interception code in the

public bool CheckValidationResult(ServicePoint sp,
X509Certificate cert,WebRequest req, int problem)
{



method. The "int problem" is just the error code indicate what's the
actual error that occurs. Following is the error code---error info mapping
table:

public enum CertificateProblem : long
{
CertEXPIRED = 0x800B0101,
CertVALIDITYPERIODNESTING = 0x800B0102,
CertROLE = 0x800B0103,
CertPATHLENCONST = 0x800B0104,
CertCRITICAL = 0x800B0105,
CertPURPOSE = 0x800B0106,
CertISSUERCHAINING = 0x800B0107,
CertMALFORMED = 0x800B0108,
CertUNTRUSTEDROOT = 0x800B0109,
CertCHAINING = 0x800B010A,
CertREVOKED = 0x800B010C,
CertUNTRUSTEDTESTROOT = 0x800B010D,
CertREVOCATION_FAILURE = 0x800B010E,
CertCN_NO_MATCH = 0x800B010F,
CertWRONG_USAGE = 0x800B0110,
CertUNTRUSTEDCA = 0x800B0112
}


you can also find it in the MSDN document I mentioned in the previous
message:

#ICertificatePolicy Interface
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
epolicyclasstopic.asp?frame=true

If anything else unclear, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Joined
Jun 25, 2009
Messages
1
Reaction score
0
Validating Certificate at client side in .net code

So,
here we can validate any certificate ?
Also. we can validate certificate issued by verisign and other CA ?

Thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top