SChannel problems

From: Jan Nitecki (JanNitecki_at_discussions.microsoft.com)
Date: 06/25/04

• Next message: Viktor: "RE: Windows XP is not locked when smart card is removed"
• Previous message: Raj: "RE: Retrieving Logon Date and Time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 25 Jun 2004 08:43:21 -0700

I've written sometimes back application using SChannel for SSL layer. Right now I was reviewing code for introducing additional security checks and I found few problems, which I cannot solve alone.
1) While creating SChannel credentials (AcquireCredentialsHandle) it is possible to supply certificates of trusted CA's, but what is sent to client in certificate request message is the union of supplied certificates and those in trusted root store. I would like to know how to force schannel to send only certificates supplied by me.
2) Because of first problem certificate accepted by SChannel - may be one of my ones or some other which I don't want to trust (i.e. Verisign). I would like get full chain of client certificate, but through QueryContextAttributes I can get only end certificate - so I don't know what is root CA for it (it could be multiple levels of trust - so issuer of end certificate is not top level certification authority). Building chain thorugh CertGetCertificateChain succeedes only if intermediate CA certificates are already stored on server.
In most of the cases chain of client certificate is supplied only as part of handshake so chain cannot be build and manual verification fails.
There is article on MSDN giving steps which are required for manual certificate validation, but it doen't give any clue how to achieve that.

So quick summary of problems is:
1) How to send only arbitrary list of trusted CA's to SSL client.
2) How to build client certificate chain from SSL Content where initially only top level CA is stored locally.

I'm stack on those problems for more than a week and I start trusting that they are unresolvable, but I'm still hoping that someone can help me.

---

• Next message: Viktor: "RE: Windows XP is not locked when smart card is removed"
• Previous message: Raj: "RE: Retrieving Logon Date and Time"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IIS6.0 + SSL Breaks down! ... Your last reply is just fine, I called PSS the friday to solve this problem ... bad public specification on SSL make SSL Client Certificates ... Force IIS to always re-negotiate up front before client even thinks about ... >> If IIS accepts the POST and the client certificate handshake fails, ... (microsoft.public.inetserver.iis) Re: X.509 Certificate based authentication ... It will interoperate with other platforms that also use SSL ... client certificate authentication, as there is nothing proprietary here. ... Microsoft's approach to certificate and key stores as opposed to something ... (microsoft.public.dotnet.framework.aspnet.security) Re: Enable LDAP over SSL ... As I understand it, this is a feature of TLS, the successor to SSL that is ... with the client will provide the whole chain to the client if the server has ... needs the root cert in the chain to be a trusted root and it needs the chain ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.windows.server.active_directory) Could not establish secure channel for SSL/TLS with authority ... The application makes webservice calls over SSL using WCF. ... I have examined the client certificate and this is ok. ... (microsoft.public.dotnet.framework.webservices) Re: SSL for dummies... how to generate X509Certificate (*.DER) files? ... Do you need to do client certificate authentication or just do SSL server ... certificate if you wish to do client certificate auth. ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)