Problem using client certificate with wrong CN name

C

Carlo Folini

Hi,
I hava an assembly embedded in IE.
With this assembly I read with no problem a file (GET)
from the same site.

When I use SSL I get an error because the CN name in the
certificate is different from the server name.
Implementing the ICertificatePolicy I can get rid of the
error.

The problem with this approach is that the assembly runs
with low privilege (local intranet), and implementing
ICertificatePolicy requires full trust.
I think that there isn't a solution (at least
until "ICertificatePolicy" related class will be
implemented in managed code).

I read on documentation that is possible to change the
certificate policy behavior by setting a value in the
assembly configuration file.

http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/cpguide/html/cpconhostingremoteobjectsininternetinformat
ionservicesiis.asp?frame=true&hidetoc=true

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<settings>
<servicePointManager
checkCertificateName="true"
/>
</settings>
</system.net>
</configuration>

Obviously this seems not to work (I tried also setting the
value to false).

Can someone clarify this problem?

Thanks
CArlo FOlini
 
J

Jan Tielens

I think there are 2 possible solutions:
1) allow your assembly to run in full trust by creating for example a code
group or a specific key (sign your assembly by giving it a strong name)
2) add the certificate to the certificate store so the certificate will be
trusted
 
C

Crasch

Hi,
the solutions aren't applicable for my case.
1) to operate on the originating server I have to let any assembly to
have full trust. So essentially I'm throwing the .net security
mecanism away.
2) having to deal with a client assembly, I must add the certificate
to every client that uses the assembly (~4k people).

Any other solution?
Any glue on the assembly configuration file?

Carlo
 
J

Jan Tielens

If your clients are in an active directory or something like that, you can
propagate a specific security policy (e.g. code group for your app.). Maybe
that's a solution...
 
C

Carlo Folini

Hi,
but doing that way you are again throwing away all the
security mechanism of the framework.
Having a team of developer making assemblies this way I
have to give all developers the ability to act on full
trust.

Any glue on the application configuration file?
Is it a viable way?

Thanks
Carlo
-----Original Message-----
If your clients are in an active directory or something like that, you can
propagate a specific security policy (e.g. code group for your app.). Maybe
that's a solution...
Click to expand...
 
Y

Ying-Shen Yu[MSFT]

Hi Carlo,

Have you tried this setting?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<settings>
<servicePointManager
checkCertificateName="false"
checkCertificateRevocationList="false"
/>
</settings>
</system.net>
</configuration>

If this doesn't take effect, please be free to reply this thread to let us
know and give us a small repro sample.
Thanks!



Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure 2
Strange CN (Common Name) format with \x00 ... 1
help me Certificate Verification (C#) 1
Certification Problem when Using SSL -Errors 2146762486, 214676248 0
Security Certificate Error 1
"The certificate's CN Name does not match the passed value." 3
What is wrong with my web.config? 1
Windows Mail & SSL: How to Install a Certificate? 7

Top