HttpWebRequest - Server Certificate Validation

[Dima Maltsev]

Hello Group,
I'd like to re-submit the following post in order to get
Microsoft guys opinion on the questions below.
Thank you

-------

I am using the HttpWebRequest object to send http POST
requests over https protocol.

The documentation for this class states that it supports
most of the HTTP 1.1 protocol features including server
certificate validation (see this link
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/cpguide/html/cpconhttp.asp). However,
it neither explains what validation is supported, nor how
to use this feature.

Here are my questions:
1. What server certificate validation is supported?

2. How do I enable validation (if it's not enabled by
default)?

3. With WinHTTPRequest COM object it was possible to
disable server certificate validation using the
WINHTTP_OPTION_SECURITY_FLAGS flag
(http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/winhttp/http/option_flags.asp). I will
need the same functionality in HttpWebRequest object as we
don't have valid certificates on our Test environments.
How can I do this?

4. Finally, I have to make sure that at least the
following validation is performed in production mode:
Unknown certification authority (CA) or untrusted root
Invalid common name (CN)
Invalid date or certificate expired
Is it all supported by default or do I have to enable it?

Thank you,
Dima Maltsev

 

[Yan-Hong Huang[MSFT]]

Hello Dima,

Thanks for posting in the group.

For your questions:

1), 2) When a client asks for a https connections, server certificate is
necessary for it. You don't need to anything to enable it. To get server
certificate, you could use:
Request.ServicePoint.Certificate property

3) You could provid a custom policy to valid server certificate. In this
way, you could validate any server certificate.
Such as:
implement your own ICertificatePolicy that accepts everything (see below)
and set it:
----------------------------------------------------------------------------
public class AcceptAllCertificatePolicy : ICertificatePolicy
{
public AcceptAllCertificatePolicy()
{
// Nothing to do.
}

public bool CheckValidationResult(ServicePoint srvPoint,
X509Certificate certificate, WebRequest request,
int certificateProblem)
{
// Just accept.
return true;
}
}

Then in a client:

ServicePointManager.CertificatePolicy = new AcceptAllCertificatePolicy();

// Create the request and receive the response
try
{
WebRequest myRequest = WebRequest.Create(myUri);
WebResponse myResponse = myRequest.GetResponse();
ProcessResponse(myResponse);
myResponse.Close();
}
// Catch any exceptions
catch(WebException e)
{
if (e.Status == WebExceptionStatus.TrustFailure)
{
// Code for handling security certificate problems goes here.
}
// Other exception handling goes here
}

4) I think you could get error information in WebException.
catch(WebException e)
{
Console.WriteLine("This program is expected to throw WebException
on successful run."+
"\n\nException Message :" + e.Message);

if (e.Status == WebExceptionStatus.TrustFailure)
{
// Code for handling security certificate problems goes here.
Console.WriteLine("Status Code : {0}",
((HttpWebResponse)e.Response).StatusCode);
Console.WriteLine("Status Description : {0}",
((HttpWebResponse)e.Response).StatusDescription);
}
// Other exception handling goes here
}

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
!Content-Class: urn:content-classes:message
!From: "Dima Maltsev" <[email protected]>
!Sender: "Dima Maltsev" <[email protected]>
!Subject: HttpWebRequest - Server Certificate Validation
!Date: Mon, 8 Sep 2003 10:59:13 -0700
!Lines: 43
!Message-ID: <[email protected]>
!MIME-Version: 1.0
!Content-Type: text/plain;
! charset="iso-8859-1"
!Content-Transfer-Encoding: 7bit
!X-Newsreader: Microsoft CDO for Windows 2000
!X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
!Thread-Index: AcN2MumG1Mf62jaiQcSySXn4AaoTig==
!Newsgroups: microsoft.public.dotnet.framework
!Path: cpmsftngxa06.phx.gbl
!Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework:53211
!NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
!X-Tomcat-NG: microsoft.public.dotnet.framework
!
!Hello Group,
!I'd like to re-submit the following post in order to get
!Microsoft guys opinion on the questions below.
!Thank you
!
!-------
!
!I am using the HttpWebRequest object to send http POST
!requests over https protocol.
!
!The documentation for this class states that it supports
!most of the HTTP 1.1 protocol features including server
!certificate validation (see this link
!http://msdn.microsoft.com/library/default.asp?
!url=/library/en-us/cpguide/html/cpconhttp.asp). However,
!it neither explains what validation is supported, nor how
!to use this feature.
!
!Here are my questions:
!1. What server certificate validation is supported?
!
!2. How do I enable validation (if it's not enabled by
!default)?
!
!3. With WinHTTPRequest COM object it was possible to
!disable server certificate validation using the
!WINHTTP_OPTION_SECURITY_FLAGS flag
!(http://msdn.microsoft.com/library/default.asp?
!url=/library/en-us/winhttp/http/option_flags.asp). I will
!need the same functionality in HttpWebRequest object as we
!don't have valid certificates on our Test environments.
!How can I do this?
!
!4. Finally, I have to make sure that at least the
!following validation is performed in production mode:
! Unknown certification authority (CA) or untrusted root
! Invalid common name (CN)
! Invalid date or certificate expired
!Is it all supported by default or do I have to enable it?
!
!Thank you,
!Dima Maltsev
!
!