RE: How to perform SSL certificate validation ?



Your application must build a certificate chain, collecting the issuing
CA certificate for all CAs up to a trusted root. For externally issued
certificates (ones not issued by your own CA), this is done by
downloading the certificate from the Authority Information Access (AIA)
URL found in the certificate itself. Each certificate in the chain is
validated. The validity of each certificate can be determined based on
a variety of tests (must have all standard X.509 fields, must fit a
format for a specific version, critical extensions, specific OIDs,
revocation check, root check, DNS check, signature check, and time
validity check). For SSL, the root check, DNS check, time validity, and
revocation check are standard.

The root check of external certificates is perfomred by checking whether
the chain (for example, from the web server, to an issuing CA, to
another, to the root CA) connects to a trusted root (which is one either
installed by default in IE or Mozilla or one you manually choose to
import into the store to trust). Basically if you're talking about
validating third-party web servers on the Internet, rely on the Versign,
Thawte etc. commercial CA root certificates in your store by default
(you don't need to add a root CA). If these are internal web servers
issued certificates by an internal private CA, then you'll need to
install the root CA's certificate.

The revocation check occurs by checking the Certificate Revocation List
found at the URL stored in the certificate to make sure the once-valid
certificate you've been presented wasn't revoked since it's issuance
(because of a key compromise, CA compromise, superseding, decommission
of the server, or a temporary hold).

As far as being for MiTM prevention only, certificates are used for many
services:
* Digital signatures: for client authentication and data-origin
validation
* Non-repudiation: proving a signer DID sign a package
* Key encipherment: The public keys (assymmetric encryption) can be used
for symmetric key exchange.
* Data encipherment: The public key itself can be used to encrypt data,
but this never happens because it's so inefficient.
* Key Agreement: The public key can be used for key transport (like in
Diffie-Hellman)
* Signature verfication: The public key can be used to verify a
certificate or CRL's signature.

PKI is used to help provide confidentiality, data-integrity, AND
authentication.

I'm sure there is a tool to perform certificate validation in the method
you need, but I don't know of one and it would depend on your platform
(Windows?, Linux/UNIX?).

For Windows, look into:
* CertUtil (a utility in the Server 2003 Admin Pack). For example,
"certutil -verify -urlfetch example.cer" verifies the certificate chain
of example.cer, printing output for every URL in every certificate in
the chain. It prints out when a URL is validated, can't be reached, and
prints a summary of errors at the end. I'm sure you need something
simpler than that though, and I believe it's usually used by PKI
administrators to check on the health of their own MS CS PKI.
* CAPIMON: "CryptoAPI Monitor (CAPIMON) allows an administrator to
monitor an application's CryptoAPI calls and the results."
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4
441-9D4C-0CAB35D49A01&displaylang=en
* Generally speaking, the CryptoAPI

This book has a bit of information about certificate services in
general, but is primarily geared toward installing your own CA using MS
Certificate Services: "MS Windows Server 2003 PKI and Certifcate
Security".

Seth Robertson



-----Original Message-----
From: Ncssindia [mailto:ncssindia@xxxxxxxxx]
Sent: Thursday, July 13, 2006 8:18 AM
To: 'Nagareshwar Talekar'; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: How to perform SSL certificate validation ?

There is a product called as Microdasys SCIP, for SSL Verification, can
check for self singed certificated, This will come in handy as a great
tool for SSL.


Best Regards,
Reactor Network and Content Security Solutions

RNCSS Support #1 : rncssindia@xxxxxxxxx
RNCSS Support #2 : rncsscccp@xxxxxxxxx

-----Original Message-----
From: Nagareshwar Talekar [mailto:tnagareshwar@xxxxxxxxx]
Sent: Monday, July 10, 2006 11:46 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: How to perform SSL certificate validation ?

Hi List,

I am working on implementation of LDAP client where in there is
requirement to validate the server's ssl certificate. This is similar to
what browser does in case of ssl enabled website. After reading few
articles over net I came to know that following checks needs to be done
for verfication of ssl certificate.

1) Check if certificate is not expired.
2) Common name on the certificate matches the DNS name of the
server.
3) Checks if the CA is trused.

I don't know how to perform the check for 3rd step. How can we ensure
that CA is trusted? One of my colleague told that I have to store all
trusted root certificates and then compare incoming certificate with
existing ones..

Is there any better way to check this ...?

Also I was told that certificate validation is done to prevent the
SSL-MITM attack Is this the only reason or is there any other reason
for which the SSL certificate validation is done ?

It will be great if you can throw some light in this matter. Any links
to relevant websites will do as well.

Thanks

--
With Regards
Nagareshwar

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at:

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at:

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------



Relevant Pages

  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)