locked
(StreamSocket) How to disable certificate revocation check on the client side when making SSL connection to remote server?

    Question

  • Dear all,

     

    With StreamSocket, is there any way to disable the SSL certificate revocation check when making the SSL connection to a remote server?

     

    Or, in other words, is it possible not to validate the server's certificate with StreamSocket?

     

    I asked this because we couldn't interact into the SSL handshake procedure. Once we get the connection results, all checks have been done actually. For example, if the revocation takes too much time, we will have to wait. If there would be any properties that we could set before making the connection, it will be good for our app.

     

    Thanks!


    • Edited by B0L Thursday, June 5, 2014 10:58 AM
    Thursday, June 5, 2014 10:56 AM

Answers

  • First of all, I always point people to the same paper when they ask about reducing SSL checks: "The most dangerous code in the world" [pdf]. It's a very readable, and very terrifying, look at how easy it is for code to make simple (and reasonable) changes that instantly remove most of the security benefits of using SSL/TLS.

    Specifically, what you want to do is outright dangerous.  If you are connecting, and don't actually care about a secure connection, why not just open a plain socket?

    Per your question, you are correct: we always apply our full set of SSL security rules on connections.  It's possible to override the security findings, but the checks are always done.

    I would be surprised if the revocation check was actually responsible for any noticeable slowdown in a client-socket type scenario.  Can you share what your app is doing, and how you're measuring your performance issue? 


    Network Developer Experience Team (Microsoft)

    • Marked as answer by B0L Friday, June 6, 2014 1:06 AM
    Thursday, June 5, 2014 7:57 PM

All replies

  • I don't think so, but I am going to ask our Networking PM to take a look at this post to be sure.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, June 5, 2014 1:04 PM
    Moderator
  • First of all, I always point people to the same paper when they ask about reducing SSL checks: "The most dangerous code in the world" [pdf]. It's a very readable, and very terrifying, look at how easy it is for code to make simple (and reasonable) changes that instantly remove most of the security benefits of using SSL/TLS.

    Specifically, what you want to do is outright dangerous.  If you are connecting, and don't actually care about a secure connection, why not just open a plain socket?

    Per your question, you are correct: we always apply our full set of SSL security rules on connections.  It's possible to override the security findings, but the checks are always done.

    I would be surprised if the revocation check was actually responsible for any noticeable slowdown in a client-socket type scenario.  Can you share what your app is doing, and how you're measuring your performance issue? 


    Network Developer Experience Team (Microsoft)

    • Marked as answer by B0L Friday, June 6, 2014 1:06 AM
    Thursday, June 5, 2014 7:57 PM
  • Hi, Matt and all other dear network guru from Microsoft: thank you very much for your info.

     

    We'd like to escape the certificate validation in the local/corporation network environment or other ones that are isolated from the public or external network (thus we or the users assume it is secure and shouldn't be hacked), especially for those self-signed certificate. This scenario is always welcome as we just want the SSL connection to succeed.

    We raise this question because we are now migrating an existing function from our desktop application(which is using OpenSsl) to Windows Store App. OpenSsl provides the ability to the upper callers to decide whether to verify the certificate or not. So we want to make sure whether this behavior is possible to not verify the server's certificate in WinRT.

     

    Thanks for the confirmation!



    • Edited by B0L Friday, June 6, 2014 1:02 AM
    Friday, June 6, 2014 1:01 AM