.Net: SSL/TLS and Certificate Pinning

J

Jeffrey Walton

Hi All,

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.

Jeff
 
A

Arne Vajhøj

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.
Click to expand...

If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.

Arne
 
A

Arne Vajhøj

If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.
Click to expand...

Example:

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

namespace E
{
public class MainClass

{
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback =
MyCheck;
WebRequest wr = WebRequest.Create("https://arne/");
string html = new
System.IO.StreamReader(wr.GetResponse().GetResponseStream()).ReadToEnd();
Console.WriteLine(html);
}
public static bool MyCheck(object sender, X509Certificate
certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Name = " + certificate.Subject);
Console.WriteLine("Effective = " +
certificate.GetEffectiveDateString());
Console.WriteLine("Expiration = " +
certificate.GetExpirationDateString());
Console.WriteLine("Issuer = " + certificate.Issuer);
return true;
}
}
}

Arne
 
J

Jeffrey Walton

Hi All,

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I'm not sure if its Microsoft's 'best practice' for pinning.
Click to expand...
In case anyone wants to tug on Microsoft's ear:
http://visualstudio.uservoice.com/f...net-framework-ssl-tls-and-certificate-pinning
 
J

Jeffrey Walton

If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.
Click to expand...

Example:

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

namespace E
{
     public class MainClass

     {
         public static void Main(string[] args)
         {
             ServicePointManager.ServerCertificateValidationCallback =
MyCheck;
             WebRequest wr = WebRequest.Create("https://arne/");
             string html = new
System.IO.StreamReader(wr.GetResponse().GetResponseStream()).ReadToEnd();
             Console.WriteLine(html);
         }
         public static bool MyCheck(object sender, X509Certificate
certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
         {
             Console.WriteLine("Name = " + certificate.Subject);
             Console.WriteLine("Effective = " +
certificate.GetEffectiveDateString());
             Console.WriteLine("Expiration = " +
certificate.GetExpirationDateString());
             Console.WriteLine("Issuer = " + certificate.Issuer);
             return true;
         }
     }

}
Click to expand...
Thanks Arne. I appreciate the code.

Jeff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Could not establish secure channel for SSL/TLS 2

Top