We have a client that has their own PKI infrastructure and assigns private certs to use as SSL client authentication for application access to their rest APIs.
I need to be able to use a client cert with SslStream and not have it choke that it is not trusted. Users will not be educated enough to know how to add CA certs to their local trusted cert store. Plus, most would not have the access to do so either.
The client application is being written in .Net 4.6.1
What do I need to do to get SslStream not to throw an exception with an locally untrusted client certificate?
Have you looked at the constructor that accepts a certificate validation callback method? https://msdn.microsoft.com/en-us/library/ms145057(v=vs.110).aspx Seems like that's what you are asking to do.
Related
I've read a lot that self-signed certificates should never be used in production because of the lack of security but I wonder if it's still a security risk if I'm the only one who're supposed to connect to the server? Is it for some reason easier to crack a self-signed certificate? I'm creating both the server and client application and the only way for someone else to connect is to create their own client. That means that every time I install the client I also have the possibility to add the certificate to the trusted root certificates.
Or is it safer to continue to use my own encryption implementation using RSA/AES on the message level? The reason I want to use SSL instead is that it's much easier to work with, especially when I want to stream media since I don't have to send it in chunks.
I've read a lot that self-signed certificates should never be used in production because of the lack of security ....
Self-signed certificates by itself are not bad and can also used in production if done properly.
A certificates is safe to use if the peer is able to verify it properly. The usual validation is done based on some trusted root CA contained in the browser or operating system. But that a self-signed certificate can not be validated this way does not mean that it cannot be validated at all because:
You can explicitly add it as trusted to the certificate store of the browser/OS.
You can make an exception on first use after you've verified that the certificate you get in the browser is actually the one which you know (by comparing the fingerprint, not just the subject).
If you have your own application you could ship the application so that it (only) trusts this certificate.
Of course explicitly importing the certificate as trusted or making in exception in the browser does not scale well, because it has do be done for each user. And that's the main point of CA-signed certificates: that the certificate gets implicitly trusted because it is signed by someone trusted instead of that each user has to validate and trust the certificate manually. And this is also the only reason you want to use a CA-signed certificate in production. As long as the certificate is properly validated it does not matter if it was self-signed or not.
Or is it safer to continue to use my own encryption implementation using RSA/AES on the message level?
Never run your own crypto unless you really understand what you are doing.
In this case SSL provides everything you need but you have to know how to use it properly.
From my .net client code, is there a way to obtain details about an SSL certificate being used by a WCF service? Assuming I can already connect successfully over SSL to the service.
I am hoping to report the expiration date of the server certificate on a dashboard. If the certificate has been updated / renewed since the last time the client communicated with the service, I'm trying to detect that as well.
Let's also assume the server cert is a real public cert from godaddy etc. i.e. the cert would not have been explicitly imported into the client store already.
Any thoughts? I was thinking I might find somewhere in System.ServiceModel.ClientBase that I could find this after opening a connection but haven't found anything yet.
Thanks!
Easiest way would probably be to just implement a certificate validation callback on the client so that you can have a chance to look at the SSL certificate provided by the server before it is trusted by the client:
http://msdn.microsoft.com/en-us/library/aa702579(v=vs.110).aspx
I am using managed OpenSSL wrapper for mutual authentication in my project. What I have done till now is sent the client certificate by calling .Net's AuthenticateAsClient function of SslStream and I am getting server certificate along with 3 chain certificate in callback functions from server. But I don't know what to do with this server certificate. Now I have two questions:
Why am I getting error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate error when I am calling AuthenticateAsClient function even if I have Root CA installed on local machine?
How to add server certificate which I have got in callback function from server into key store using managed OpenSSL or what else need to do with this server certificate to finish mutual authentication?
Can anyone please help me to complete this mutual authentication process using OpenSSL.
I need to provide mutual authentication using TLS protocol in my server-client communication. Now under development, client and server run on the same machine. My colleague created one certificate (.pfx file) for me. As it is a two-way authenticate, server and client have to authenticate each other.
This thread Mutual authentication in SSL/TLS discussed in which certificate store a certificate should be located on server side or client side. Now I am confused, as I only have one certificate, I dont know whether it is a client certificate or a server certificate, Can I use one certificate for both, if so where should I locate this certificate for both server and client ?
Thank you for your help !
You can use certificate for both ways, however what's the problem to generate standalone certificate (even self-signed) for client authentication?
In the same way as IE handles the client certificate authentication procedure, I would like to do the same from an installed .Net client app that connects to our web server which has been setup for requiring client certificates.
I know how to open the Select Certificate UI allowing the user to select a client certificate from a list of those that are installed, and then add the certificate to the outgoing HttpWebRequest.
What I can figure out is:
How to determine when a client certificate is required by the server. It's not in the HttpResponse. The status code is 403 but I can't read the substatus.
How to then filter the client certificates in the UI to list only those that are valid based on the server certificate (issued by?).
Thanks in advance.