I cannot get the users to create real certs for their servers but I'd like to do some security checks. So the following is too light because, as I read it, there is no checking on the certs.
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
What do you recommend that I have the clients check on the x509 cert? Given that I'm using a .NET language (c#/f#).
A self-signed certificate is an SSL certificate not signed by a publicly trusted certificate authority (CA) but by one's own private key. The certificate is not validated by a third party and is generally used in low-risk internal networks or in the software development phase.
The web server sends a copy of the SSL certificate to the browser. The browser checks the authenticity of the certificate and sends a message to the webserver. In return, the webserver/website sends a digitally signed acceptance for initiating an SSL encrypted session.
By default, All the self-signed certificate only valid for 90 days, then you will need to renew them every 90 days, which is very troublesome.
If you're using self signed certs then the only errors you should expect is a chain error on the root (Cert. Issuer). I would suggest something like this that traps for that chain error specifically and lets all other errors fall through.
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(
ValidateRemoteCertificate
);
private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors )
{
string trustedIssuer = "CN=www.domain.com";
string trustedDomain = "CN=www.domain.com";
bool policyErr = false;
switch (policyErrors)
{
case SslPolicyErrors.None:
policyErr |= false;
break;
case SslPolicyErrors.RemoteCertificateChainErrors:
bool chainErr = false;
foreach (X509ChainStatus status in chain.ChainStatus)
{
switch (status.Status)
{
case X509ChainStatusFlags.NoError:
chainErr |= false;
break;
case X509ChainStatusFlags.UntrustedRoot:
if (certificate.Subject != trustedDomain || certificate.Issuer != trustedIssuer)
chainErr |= true;
else
chainErr |= false;
break;
default:
chainErr |= true;
break;
}
}
policyErr |= chainErr;
break;
default:
policyErr |= true;
break;
}
return !policyErr;
}
If you can't get the clients to create real certs you should at least try to get them to create certs using your server. Then you can check that the certificate is valid or at least from your CA because you'll know if your CA has been compromised. If you're trusting any and all CAs there's really nothing worth checking.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With