Answered by:
Schannel by using UpgradeSllAsync - a few issues.

Question
-
I am trying to use UpgradeToSslAsync() for StreamSocket in MetroApp.
The use case is :
Win32 app using socket2 first connects and communicates with talk.google.com:5222.
Later it sends schannel requests to gmail.com. It seems, win32 schannel code needs only the remote host name, (no service name or port name is required). [This phase is for user authentication]
Then my app send-s/recv-s encrypted/decrypted data to/from the talk.google.com (gmail.com).
----
Now in MetroApp, I do not have access to schannel resources. So, I wanted to use UpgradeToSslAsync. My understanding is, it should be set on the socket connection established with talk.google.com, because that's where the encrypted data goes to, and decrypted data comes from. And, I do not need to encrypt/decrypt anything myself. But, when I try to UpgradeToSslAsync on that connection I get this error:
"The certificate's CN name does not match the passed value."
It seems to me talk.google.com server does not have valid certificate or does not clear my request for whatever value my UpgradeToSslAsync() had passed to it.
I was thinking of building a connection to gmail.com and UpgradeToSslAsync it, but that does not help me, because my communication is with talk.google.com.
So, the summary is:
Schannel allows certificate authentication from one server, and then use data transfer with another. which (probably) does not have valid certificate but does support ssl communication).
UpgradeToSslAsync() in contrast requires the server have valid certificate and then data transfer. How do I resolve the error:
"The certificate's CN name does not match the passed value." I am getting.
Thanks in advance.
Related links:
DektopApp:
InitializeSecurityContext
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375924(v=vs.85).aspx
MetroApp:http://msdn.microsoft.com/en-us/library/windows/apps/windows.networking.sockets.streamsocket.upgradetosslasync
sua
Saturday, June 9, 2012 8:56 PM
Answers
-
Shafiq - it is by-design that Metro style apps will fail an SSL check when the CN on the cert does not match the hostname. Is it a security feature, and there is no workaround to allow multiple hostnames to resolve to the CN on the cert.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.- Marked as answer by Jesse Jiang Wednesday, June 20, 2012 9:04 AM
Tuesday, June 12, 2012 8:24 PMModerator
All replies
-
Hello,
Thanks for your feedback, I will involve more experts to investigate it.
Best regards,
Jesse
Jesse Jiang [MSFT]
MSDN Community Support | Feedback to us
Tuesday, June 12, 2012 8:42 AM -
Shafiq - it is by-design that Metro style apps will fail an SSL check when the CN on the cert does not match the hostname. Is it a security feature, and there is no workaround to allow multiple hostnames to resolve to the CN on the cert.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.- Marked as answer by Jesse Jiang Wednesday, June 20, 2012 9:04 AM
Tuesday, June 12, 2012 8:24 PMModerator