Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I perform the hardest possible SSL certificate check with .NET code?

Tags:

c#

.net

ssl

pki

x509certificate2

We happen to run a REST API service that exposes an https:// endpoint. Recently we changed our SSL certificate and several users, mostly libcurl and Java users, complained that they no longer can validate the certificate and their programs refuse to connect to our service. Other users, including .NET users, didn't observe any problems. Firefox is also happy to open pages on the site with that certificate.

We need to craft some code that validates the certificates the hardest way possible before we use them in production.

I crafted a piece of code that creates a X509Certificate2 object for the certificate and then tries to X509Chain.Build() from it:

var certDataArray = File.ReadAllBytes( path );
var cert = new X509Certificate2( certDataArray, password );
var chain = new X509Chain();
var result = chain.Build(cert);
var status = chain.ChainStatus;

This code runs okay for our previous certificate (which is not yet expired) and fails (Build() returns false and X509Chain.ChainStatus contains a number of elements - X509ChainStatusFlags.RevocationStatusUnknown, X509ChainStatusFlags.PartialChain, X509ChainStatusFlags.OfflineRevocation). So it looks like for this specific certificate this check is enough.

Is X509Chain.Build() enough to ensure that all of our users can successfully validate the certificate? Are any other checks necessary?

like image 618
sharptooth Avatar asked Oct 19 '22 03:10

sharptooth

1 Answers

The X509ChainStausFlags.PartialChain code is a sign you have a problem. At least one certificate in the chain a) does not have an issuer which is already in your local certificate stores and b) does not have a resolvable Authority Information Access extension which lets the system download the cert (though that could also be a network error).

If the missing certificate is the root, then providing it to chain.ChainPolicy.ExtraStore (before calling Build) would change X509ChainStatusFlags.PartialChain to X509ChainStatusFlags.UntrustedRoot. If it's an intermediate then it may well result in the chain building successfully.

The OfflineRevocation code seems weird, since you didn't specify X509RevocationMode.Offline (at least, not in your snippet here).

like image 91
bartonjs Avatar answered Oct 21 '22 22:10

bartonjs
Sign in to Comment

Related questions

Using Akka.NET in a typical MVC application. How?
Entity Framework: select property as Object
Is .NET Framework 4.5 and later are available on Embedded Compact 2013 and Windows 10 IoT core?
Change column order in deedle frame
Items in WinForms ComboBox not updating when DataSource values change
ASP.NET Testing DbContext in local methods
Is there any way to remove empty regions with ReSharper cleanup?
How to check if an 'unknown' parameter is supplied in a Request's Query String? [duplicate]
C# NUnit unit test not using correct method return to compare
How to perform a conditional include in Entity Framework
UNET Client Cant Send Server Commands, Host Can
MVC Html.HIddenFor value not being passed to the model
C# UWP XAML Animations
Is there a replacement for Attribute.IsDefined in UWP apps?
MVC 5 Checkbox returns “False,false” or “false”
Minimax algorithm for Tic Tac Toe
None of the specified endpoints were reachable
Is it possible to use Wi-Fi Direct from a non Universal application?
How to deactivate "right click" on WPF Webbrowser Control?
Regex.Match, startat and ^ (start of string)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!