Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle

Thanks for your reply John,

Well, now I understand the "client certificate" you mean, actually this
should be called "public certificate of the server SSL/HTTPS certificate"
(which only contains the public key to identitfy the server certificate).

Yes, you can import such a public certificate of server-certificate into
client machine's trusted storage so that the SSL/HTTPS server with the
correct server certificate can be identified. However, this is not
necessary because X509 certificate verification is based on certificate
chain, so the client can correctly validate the certificate as long as the
SSL/HTTPS certificate's CA's certificate is installed or any trusted super
path certificates is installed into trusted storage.

Also, even if your server certificate's public certificate is not
installed, you still have chance to validate the certificate yourself in
code. In .net you can use the
"ServicePointManager.ServerCertificateValidationCallback" propertyto
register such a callback delegate to check the certifiate your self, e.g

=========================
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
if (certificate.GetPublicKeyString() == xxxxx)
{
return true;
}
}


return false;
}
=========================

You can refer to the following MSDN reference for detailed info:

#ServicePointManager.ServerCertificateValidationCallback Property
http://msdn2.microsoft.com/en-us/library/system.net.servicepointmanager.serv
ercertificatevalidationcallback.aspx


#RemoteCertificateValidationCallback Delegate
http://msdn2.microsoft.com/en-us/library/system.net.security.remotecertifica
tevalidationcallback.aspx

Please feel free to let me know if there is still anything unclear or
anything I missed.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.




.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Configuring SBS2003 for OWA and RWW
    ... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
    (microsoft.public.windows.server.sbs)
  • Re: Configuring LDAP on Entourage 2004 OS X
    ... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
    (microsoft.public.windows.server.sbs)