HttpWebRequest and ClientCertificate

[Curtis Justus]

Hello,

I tried posting this in the aspnet.security group, but it seemed like some
posts in this group are closer to what I'm looking for. In any event, I
apologize in advance if this isn't the place to post this...

I have a winform app that is using HttpWebRequest to connect to a site using
SSL (i.e. "https://..."). The vendor requires me to validate some
information on the client certificate I get from their server (to make sure
the site isn't being spoofed).

I have checked the .ClientCertificates collection when connecting with the
request object, but it is empty. How would I be able to get the certificate
that is being used?

Thanks in advance,
cj

 

[Joerg Jooss]

Hello,

I tried posting this in the aspnet.security group, but it seemed like
some posts in this group are closer to what I'm looking for. In any
event, I apologize in advance if this isn't the place to post this...

I have a winform app that is using HttpWebRequest to connect to a
site using SSL (i.e. "https://..."). The vendor requires me to
validate some information on the client certificate I get from their
server (to make sure the site isn't being spoofed).

I guess that should read "server certificate". A client certificate is sent
*by* the client and validated on the server side. Validating your own client
certificate is rather a job for sys ops ;-)

I have checked the .ClientCertificates collection when connecting
with the request object, but it is empty. How would I be able to get
the certificate that is being used?

Because you're looking at the wrong thing. Implementing certificate
verification functionality on the client side is not required, as the
framework already provides this. You can override the framework's behavior
by implementing your own System.Net.ICertificatePolicy. The default policy
permits both valid and valid but expired certificates.


Cheer,