.Net: SSL/TLS and Certificate Pinning

  • Thread starter Thread starter Jeffrey Walton
  • Start date Start date
J

Jeffrey Walton

Hi All,

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.

Jeff
 
Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.
Click to expand...

If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.

Arne
 
If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.
Click to expand...

Example:

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

namespace E
{
public class MainClass

{
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback =
MyCheck;
WebRequest wr = WebRequest.Create("https://arne/");
string html = new
System.IO.StreamReader(wr.GetResponse().GetResponseStream()).ReadToEnd();
Console.WriteLine(html);
}
public static bool MyCheck(object sender, X509Certificate
certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Name = " + certificate.Subject);
Console.WriteLine("Effective = " +
certificate.GetEffectiveDateString());
Console.WriteLine("Expiration = " +
certificate.GetExpirationDateString());
Console.WriteLine("Issuer = " + certificate.Issuer);
return true;
}
}
}

Arne
 
Hi All,

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.
Click to expand...
In case anyone wants to tug on Microsoft's ear:
http://visualstudio.uservoice.com/f...net-framework-ssl-tls-and-certificate-pinning
 
If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.
Click to expand...

Example:

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

namespace E
{
     public class MainClass

     {
         public static void Main(string[] args)
         {
             ServicePointManager.ServerCertificateValidationCallback =
MyCheck;
             WebRequest wr = WebRequest.Create("https://arne/");
             string html = new
System.IO.StreamReader(wr.GetResponse().GetResponseStream()).ReadToEnd();
             Console.WriteLine(html);
         }
         public static bool MyCheck(object sender, X509Certificate
certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
         {
             Console.WriteLine("Name = " + certificate.Subject);
             Console.WriteLine("Effective = " +
certificate.GetEffectiveDateString());
             Console.WriteLine("Expiration = " +
certificate.GetExpirationDateString());
             Console.WriteLine("Issuer = " + certificate.Issuer);
             return true;
         }
     }

}
Click to expand...
Thanks Arne. I appreciate the code.

Jeff
 
Back
Top