Re: Schannel CertificateChainValidation failing

I can think of only two reasons why the certificate validation code would need to access the network.

1. You've enabled certificate revocation checking, and the validation code is attempting to fetch a CRL for one or more of the certificates in the certificate chain.

2. The validation code is attempting to retrieve an intermediate certificate from the net, or maybe even a root certificate. This should not be an issue if the client and server are configured correctly.

The server should be sending the end-entity certificate as well as all intermediate certificates to the client as part of the SSL handshake. The root certificate is not sent. If the server is not configured correctly (e.g. the intermediate certificates are not installed) then the intermediate certificates are not sent to the client, and the client has to connect to the net in attempt to find them (following the AIA extensions end-entity certificate).

The root certificate should be installed on the client machine already. Maybe the client-side validation code will attempt to find a suitable root certificate if it isn't installed, but I'm not too familiar with root certificate management stuff.

What version of Windows are you running?

If you were to post your client-side certificate validation code, then perhaps something else will come to mind.

Regards,
John

"Kenney" <Kenney@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B49AEA54-B4AC-48F0-99C6-D007C7C689A8@xxxxxxxxxxxxxxxx
Hi,

I am trying to validate the certificate chain of a server sent certifcate
during the standard SSL handshake process. Validation is successful when the
system can access the internet, but as soon as the system is locked down (no
internet access) I am getting "...certifcate signature could not be
verified..." along with crypt32 errors about not able to update a 3rd Party
Serial Number.

Now I have noticed a flag CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE on the
CertGetCertificateChain which states using this flag will inhibit the update
of 3rd party roots from the Winodws Web Server.

If I use this flag and the update is not performed will the server cert pass
validation as it seems to do in the open environment.

Cheers,
kenney

.

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • [Full-disclosure] VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
    ... X.509 certificate when creating an SSL session, ... Both the client and server need certificates from a mutually-trusted ... VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch ...
    (Full-Disclosure)
Loading