SSL Certificate Check

How do I programmatically read an SSL certificate when using connecting with
WebClient? I need to verify the domain name matches the certificate and that
the Expiration Date is valid before I post data to another server. Thanks.

 

Hi Jmh,

Welcome to ASPNET newsgroup.
From your description, you are using WebClient class to access a certain
ASP.NET web application which is protected by SSL in IIS. And at the client
application, you'd like to intercept the validation processing for the
Server Certificate , yes?

As for this question, based on my research, when using WebClient (or
HTTPWebRequest) net components to accessing SSL protected resource, the
validation process for the Server Certificate if automatically done by the
default CertificatePolicy(System.Net.DefaultCertificatePolicy). The
DefaultCertificatePolicy class will always make the connection fail if any
problems or errors occur. Then, if we need to manually intercept the
validation process, we can create a custom CertificatePolicy class which
should inplement the ICertificatePolicy interface,

#ICertificatePolicy Interface
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
epolicyclasstopic.asp?frame=true

this interface contains the "CheckValidationResult" method which return a
boolean value to indicate whether the Server Certificate is valid. We can
add our own validation logic in it. The following custom CertificatePolicy
always return true to let the server certificate pass the validation(no
error will occur):

public class MyCertPolicy : System.Net.ICertificatePolicy
{
public MyCertPolicy()
{}

public bool CheckValidationResult(ServicePoint sp,
X509Certificate cert,WebRequest req, int problem)
{

return true;
}
}

And before we use our WebClient instance to access remote SSL protected
app, we need to attache our custom CertificatePolicy instance through the
System.Net.ServicePointManager.CertificatePolicy propety, like:

=======================
ServicePointManager.CertificatePolicy = new MyCertificatePolicy();

try
{
WebRequest myRequest = WebRequest.Create(myUri);
WebResponse myResponse = myRequest.GetResponse();
ProcessResponse(myResponse);
myResponse.Close();
}
catch(WebException e)
{
}
=================


Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

Steven:

Just to confirm, a failure will occur if:

* If the domain name does match the certificate, e.g.
URL is: https://www.microsoft123.com
Certificate is: https://www.microsoft.com
The request will fail?

* If the certificate an expires on 8/1/04 and the current date is 5/12/05,
the request will fail?

If both are true, what error message should I look for in my Try/Catch
statement? Thanks.

 

Hi Jmh,

Thanks for your response.
AS for the try... catch... block ,where do you put them? If you just put
them around your webClient processing code, I don't think it will provide
any useful info since any error occur when validting the Server Certificate
fail will result a System.Net.WebException which only indicate that the
underlying connection fail to establish.

So we need to put our Custom CertificatePolicy class and put our
interception code in the

public bool CheckValidationResult(ServicePoint sp,
X509Certificate cert,WebRequest req, int problem)
{



method. The "int problem" is just the error code indicate what's the
actual error that occurs. Following is the error code---error info mapping
table:

public enum CertificateProblem : long
{
CertEXPIRED = 0x800B0101,
CertVALIDITYPERIODNESTING = 0x800B0102,
CertROLE = 0x800B0103,
CertPATHLENCONST = 0x800B0104,
CertCRITICAL = 0x800B0105,
CertPURPOSE = 0x800B0106,
CertISSUERCHAINING = 0x800B0107,
CertMALFORMED = 0x800B0108,
CertUNTRUSTEDROOT = 0x800B0109,
CertCHAINING = 0x800B010A,
CertREVOKED = 0x800B010C,
CertUNTRUSTEDTESTROOT = 0x800B010D,
CertREVOCATION_FAILURE = 0x800B010E,
CertCN_NO_MATCH = 0x800B010F,
CertWRONG_USAGE = 0x800B0110,
CertUNTRUSTEDCA = 0x800B0112
}


you can also find it in the MSDN document I mentioned in the previous
message:

#ICertificatePolicy Interface
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemneticertificat
epolicyclasstopic.asp?frame=true

If anything else unclear, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

Validating Certificate at client side in .net code

So,
here we can validate any certificate ?
Also. we can validate certificate issued by verisign and other CA ?

Thanks.