locked
Schannel by using UpgradeSllAsync - a few issues.

    Question

  • I am trying to use UpgradeToSslAsync() for StreamSocket in MetroApp.

    The use case is :

    Win32 app using socket2 first connects and communicates with talk.google.com:5222.

    Later it sends schannel requests to gmail.com. It seems, win32 schannel code needs only the remote host name, (no service name or port name is required). [This phase is for user authentication]

    Then my app send-s/recv-s encrypted/decrypted data to/from the talk.google.com (gmail.com).

    ----

    Now in MetroApp, I do not have access to schannel resources. So, I wanted to use UpgradeToSslAsync. My understanding is, it should be set on the socket connection established with talk.google.com, because that's where the encrypted data goes to, and decrypted data comes from. And, I do not need to encrypt/decrypt anything myself. But, when I try to UpgradeToSslAsync on that connection I get this error:

    "The certificate's CN name does not match the passed value."

    It seems to me talk.google.com server does not have valid certificate or does not clear my request for whatever value my UpgradeToSslAsync() had passed to it.

    I was thinking of building a connection to gmail.com and UpgradeToSslAsync it, but that does not help me, because my communication is with talk.google.com.

    So, the summary is:

    Schannel allows certificate authentication from one server, and then use data transfer with another. which (probably) does not have valid certificate but does support ssl communication).

    UpgradeToSslAsync() in contrast requires the server have valid certificate and then data transfer. How do I resolve the error:

    "The certificate's CN name does not match the passed value." I am getting.

    Thanks in advance.

    Related links:

    DektopApp:

    InitializeSecurityContext

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx

    MetroApp:http://msdn.microsoft.com/en-us/library/windows/apps/windows.networking.sockets.streamsocket.upgradetosslasync


    sua

    Saturday, June 9, 2012 8:56 PM

Answers

  • Shafiq - it is by-design that Metro style apps will fail an SSL check when the CN on the cert does not match the hostname.  Is it a security feature, and there is no workaround to allow multiple hostnames to resolve to the CN on the cert.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    • Marked as answer by Jesse Jiang Wednesday, June 20, 2012 9:04 AM
    Tuesday, June 12, 2012 8:24 PM
    Moderator

All replies

  • Hello,

     

    Thanks for your feedback, I will involve more experts to investigate it.

     

    Best regards,

    Jesse


    Jesse Jiang [MSFT]
    MSDN Community Support | Feedback to us

    Tuesday, June 12, 2012 8:42 AM
  • Shafiq - it is by-design that Metro style apps will fail an SSL check when the CN on the cert does not match the hostname.  Is it a security feature, and there is no workaround to allow multiple hostnames to resolve to the CN on the cert.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    • Marked as answer by Jesse Jiang Wednesday, June 20, 2012 9:04 AM
    Tuesday, June 12, 2012 8:24 PM
    Moderator