Validating client cert from request

Ask a Question related to ASP.NET Security, Design and Development.

  1. Curtis Justus #1

    Default Validating client cert from request

    Hello,

    I didn't know where else to post this. If this isn't the right group, could
    somebody point me in the right direction?

    We are using the HttpWebRequest object within a winform app to connect to a
    vendor. This vendor requires us to perform some validation on the client
    certificate from their server. This is supposed to authenticate that it is
    coming from the correct server and isn't being spoofed.

    How can I accomplish this? After making a request to their site
    ([url]https://.[/url]..), the .ClientCertificates collection of the HttpWebRequest
    object does not have anything in the collection?

    Does anybody have any thoughts?

    Thanks,
    cj


    Curtis Justus Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. validating datagridtextboxcolumn textbox, validating event fire twice, why?
      Anyone has the same experience? I am trying to validate one of the textboxes inside a datagrid, but everytime when i click my mouse on another...
    2. Unable to communicate with SSL Web Service using X509 Client Cert
      This is one of those cases where it works (calling the Web Service) in a WinForm app but not in ASP.Net. I am attempting to call a PayPal Web...
    3. using PHP curl and a client cert
      Hello, I am trying to post to a ste that requires me to use a client cert. I can get it to work for both windows and unix, but only on the...
    4. Client-side Cert Web application problem
      I had the same problem about a year ago. I currently don't have a link to the article, but there's one on MSDN (I think it's part of a book...
    5. Can't get request stream in increments - only after all sent from client
      Hello all - I'm working an a SoapExtension to implement the SOAP with Attachments protocol. Here's a Google thread from the MS newsgroups...
  2. Joe Kaplan \(MVP - ADSI\) #2

    Default Re: Validating client cert from request

    Actually, if they want you to verify their certificate, that would be the
    server certificate, not the client certificate. The client certificate
    would be the cert you provide BEFORE you connect that they would validate on
    their end (if they want that).

    Luckily, you may not need to do much to validate the server certificate at
    all as .NET is notoriously picky about SSL server cert problems and will
    generally throw an exception if there is anything wrong with the server cert
    (such as expired, untrusted, invalid, doesn't match host name, etc.).

    You can get some more control over this behavior by creating a class that
    implements System.Net.ICertificatePolicy and adding that to the
    ServicePointManager.CertificatePolicy property.
    ICertificatePolicy::CheckValidationResult will give you a copy of the
    certificate, the request and an integer value indicating the cert problem
    that you can inspect. You can return true or false based on those results.
    There is a sample in the SDK docs here:
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetICertificatePolicyClassTopic.asp?fra me=true[/url]

    Joe K.

    "Curtis Justus" <sure@you.wont.spam.me.org> wrote in message
    news:%23DN3pUmTEHA.2544@TK2MSFTNGP10.phx.gbl...
    > Hello,
    >
    > I didn't know where else to post this. If this isn't the right group,
    could
    > somebody point me in the right direction?
    >
    > We are using the HttpWebRequest object within a winform app to connect to
    a
    > vendor. This vendor requires us to perform some validation on the client
    > certificate from their server. This is supposed to authenticate that it
    is
    > coming from the correct server and isn't being spoofed.
    >
    > How can I accomplish this? After making a request to their site
    > ([url]https://.[/url]..), the .ClientCertificates collection of the HttpWebRequest
    > object does not have anything in the collection?
    >
    > Does anybody have any thoughts?
    >
    > Thanks,
    > cj
    >
    >

    Joe Kaplan \(MVP - ADSI\) Guest
    Reply With Quote Reply With Quote
  3. Curtis Justus #3

    Default Re: Validating client cert from request

    Joe,

    Thanks for the link. It pointed me where I needed to go.

    Take care,
    cj

    "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
    in message news:%23pKAKRqTEHA.1244@TK2MSFTNGP10.phx.gbl...
    > Actually, if they want you to verify their certificate, that would be the
    > server certificate, not the client certificate. The client certificate
    > would be the cert you provide BEFORE you connect that they would validate
    on
    > their end (if they want that).
    >
    > Luckily, you may not need to do much to validate the server certificate at
    > all as .NET is notoriously picky about SSL server cert problems and will
    > generally throw an exception if there is anything wrong with the server
    cert
    > (such as expired, untrusted, invalid, doesn't match host name, etc.).
    >
    > You can get some more control over this behavior by creating a class that
    > implements System.Net.ICertificatePolicy and adding that to the
    > ServicePointManager.CertificatePolicy property.
    > ICertificatePolicy::CheckValidationResult will give you a copy of the
    > certificate, the request and an integer value indicating the cert problem
    > that you can inspect. You can return true or false based on those
    results.
    > There is a sample in the SDK docs here:
    >
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetICertificatePolicyClassTopic.asp?fra me=true[/url]
    >
    > Joe K.
    >
    > "Curtis Justus" <sure@you.wont.spam.me.org> wrote in message
    > news:%23DN3pUmTEHA.2544@TK2MSFTNGP10.phx.gbl...
    > > Hello,
    > >
    > > I didn't know where else to post this. If this isn't the right group,
    > could
    > > somebody point me in the right direction?
    > >
    > > We are using the HttpWebRequest object within a winform app to connect
    to
    > a
    > > vendor. This vendor requires us to perform some validation on the
    client
    > > certificate from their server. This is supposed to authenticate that it
    > is
    > > coming from the correct server and isn't being spoofed.
    > >
    > > How can I accomplish this? After making a request to their site
    > > ([url]https://.[/url]..), the .ClientCertificates collection of the HttpWebRequest
    > > object does not have anything in the collection?
    > >
    > > Does anybody have any thoughts?
    > >
    > > Thanks,
    > > cj
    > >
    > >
    >
    >

    Curtis Justus Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139