locked
Suppress SSL server-side credential check in StreamSocket.ConnectAsync() with SocketProtectionLevel.Ssl ?

    Question

  • It's not clearly documented but it seems StreamSocket.ConnectAsync() will return AsyncResult::Error when I try to setup a SSL connection with IP address. I guess it's because of the IP address not matched server credential information. My original code on other platforms using OpenSSL to setup a SSL connection with IP address. And then retrieve and check the server credential in application layer. Could anybody point out how to do so on WinRT?

    Thanks,

    Sam

    Monday, November 12, 2012 5:56 AM

Answers

  • You will need to first open the socket and then use UpgradeToSslAsync and specify the host name from the server cert. 

    The most likely cause of your failure is that the server cert is bound to a DNS style name (that's certainly the common case).  But when the ConnectAsync() runs, and tries to validate the server cert, it will validate it against the only name it has, and in your case, you provided an IP address.  Ergo, the name match fails.

    Note that you're not allowed to bypass the SSL check in the Sockets (or any other) metro API.

    • Proposed as answer by Jesse Jiang Friday, November 23, 2012 8:08 AM
    • Marked as answer by Jesse Jiang Friday, November 23, 2012 8:08 AM
    Monday, November 19, 2012 8:06 PM

All replies

  • Following link may help you

    Is a StreamSocket client compatible to openssl-enabled server

    http://social.msdn.microsoft.com/Forums/en-US/winappswithnativecode/thread/2662cac1-fbb6-4ac4-8553-06375d798720



    Monday, November 12, 2012 9:34 AM
  • My StreamSocket can connect to OpenSSL-based SSL server via domain name and correct certificate installed on server. My problem is I can not connect to SSL server using IP address and verify the server certificatie by myself.

    -Sam

    Tuesday, November 13, 2012 3:22 AM
  • Scrutinize the connection flow and handshaking using Network Monitor . I think there is a sever credential or certification problem.
    Tuesday, November 13, 2012 3:52 AM
  • You will need to first open the socket and then use UpgradeToSslAsync and specify the host name from the server cert. 

    The most likely cause of your failure is that the server cert is bound to a DNS style name (that's certainly the common case).  But when the ConnectAsync() runs, and tries to validate the server cert, it will validate it against the only name it has, and in your case, you provided an IP address.  Ergo, the name match fails.

    Note that you're not allowed to bypass the SSL check in the Sockets (or any other) metro API.

    • Proposed as answer by Jesse Jiang Friday, November 23, 2012 8:08 AM
    • Marked as answer by Jesse Jiang Friday, November 23, 2012 8:08 AM
    Monday, November 19, 2012 8:06 PM