Re: Validate SSL server certificate??

From: "ocean" <ocean@xxxxxxxx>
Date: Sat, 17 Jun 2006 00:26:23 +0800

The client must install root-certificate and ca-certificate of server
certificate.Root-certificate will be stored into trusted root-certificates
list.

"Tim Ward" <tw2@xxxxxxxxxxxx> Ð´ÈëÏûÏ¢
news:4fd49jF1iptbvU1@xxxxxxxxxxxxxxxxx

I'm new to this SSPI / SSL / certificate / cyrpto stuff I'm afraid ...

I'm trying to adapt the WebClient.c SDK sample to my situation. So far I'm
trying to:

(a) make a connection to an SSL server (which is a telecoms device, not a
computer running a web server or anything like that)
(b) perform some validation on the certificate returned by the server, to
try to make sure I've connected to a legitmate device.

I get the SSL connection established OK (after a few days' work).
Following
WebClient.c I get the server's certificate with QueryContextAttributes,
but
then what validation to perform? WebClient.c seems to suggest that it's
helpful to call CertGetCertificateChain to make a chain from the server
certificate and then call CertVerifyCertificateChainPolicy on the result
and
see if that's happy.

Now, the root certificate against which the server certificate is to be
validated is *not* going to be in any Windows certificate store, as it's a
private certificate for use only by this application. So, I can load it
into
a certificate store (CertOpenStore to create a memory store, read the
certificate .der file into memory, CertAddEncodedCertificateToStore) but
...

... how do I present this memory store to CertGetCertificateChain in such
a
way that CertGetCertificateChain believes that it's a trusted root
certificate so that CertGetCertificateChain refrains from marking the
chain
as CERT_TRUST_IS_UNTRUSTED_ROOT?

(No, passing it in hRestrictedTrust to CertCreateCertificateChainEngine
does
*not* work.)

--
Tim Ward
Brett Ward Limited - www.brettward.co.uk

References:
- Validate SSL server certificate??
  - From: Tim Ward

Prev by Date: How to effectively change the status in custom gina
Next by Date: Re: Determine AD group membership
Previous by thread: Validate SSL server certificate??
Next by thread: How to effectively change the status in custom gina
Index(es):
- Date
- Thread

Relevant Pages

RPC over HTTP, Microsoft solution
... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
(microsoft.public.exchange.setup)
Re: OWA 2003 w/ Smart Card Authentication.
... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
(microsoft.public.exchange.connectivity)
Re: Configuring SBS2003 for OWA and RWW
... And make sure certificate will not be ... On the Connection Type page, click Broadband, and then click Next. ... next to Preferred DNS server and next to ... If you are using ISA, please go to ISA management console, and navigate ...
(microsoft.public.windows.server.sbs)
Re: Configuring LDAP on Entourage 2004 OS X
... Microsoft CSS Online Newsgroup Support ... does not work with a self signed SSL certificate OR with the SSL ... configure the System to allow OMA and "Server ActiveSync" access from the ... Configuring Exchange Server 2003 for Client Access. ...
(microsoft.public.windows.server.sbs)
Validate SSL server certificate??
... computer running a web server or anything like that) ... perform some validation on the certificate returned by the server, ... I get the SSL connection established OK. ... a certificate store (CertOpenStore to create a memory store, ...
(microsoft.public.platformsdk.security)