HTTP-POST using Basic HTTP-Auth: RemoteCertificateNameMismatch | RemoteCertificateChainErrors RRS feed

  • Question

  • Hi

    I have created a C# library that is accessing a remote web-service via HTTP-Post using Basic HTTP authentication.

    However, communicating with this remote web-service only works if I am monitoring the traffic using Fiddler 2, otherwise it returns a 403.

    WebException: {"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."}

    Here is the C# code:

    WebRequest webReq = WebRequest.Create(url); string basicAuthUsernamePassword = String.Format("{0}:{1}", basicAuthUsername, basicAuthPassword); CredentialCache credCache = new CredentialCache(); credCache.Add(new Uri(url), "Basic", new NetworkCredential(basicAuthUsername, basicAuthPassword)); webReq.Credentials = credCache; webReq.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(basicAuthUsernamePassword))); webReq.Method = "POST"; webReq.ContentType = ContentTypeFactory(HttpContentTypeEnum.form); byte[] byteArray = Encoding.UTF8.GetBytes(toSend); // Set the ContentLength portion of the header webReq.ContentLength = byteArray.Length; Stream strmReq = null; try { // Create a stream for the POST Request strmReq = webReq.GetRequestStream(); // Write the data to the stream. strmReq.Write(byteArray, 0, byteArray.Length); using (WebResponse webResp = webReq.GetResponse()) { using (Stream strmResp = webResp.GetResponseStream()) { strResponseBody = new StreamReader(strmResp, Encoding.UTF8).ReadToEnd(); } } success = true; }

    However, if I turn on Fiddler 2 and try calling the web-service again, it is successful.

    Note: upon the first connection to this remote web-services just after Fiddler 2 has started, Fiddler pops up with a modal dialog "Ignore remote certificate error?", with buttons "Yes" and "No":

    Session #2: The remote server (qa-svc-2-307416956.-------.com) presented a certificate that did not validate, due to RemoteCertificateNameMismatch, RemoteCertificateChainErrors.
    SUBJECT: CN=preview.-----.com, OU=Domain Validated, OU=Thawte SSL123 certificate, OU=Go to https://www.thawte.com/repository/index.html, O=preview.tangocard.com
    ISSUER: CN=Thawte DV SSL CA, OU=Domain Validated SSL, O="Thawte, Inc.", C=US
    EXPIRES: 9/23/2011 4:59:59 PM
    (This warning can be disabled by clicking Tools | Fiddler Options.)

    If I hit "Yes", and proceeds on successfully to send HTTP-Post to remote web-service. And as long as Fiddler 2 is up, then all requests to the remote web-service runs without problems and the aforementioned modal dialog does not appear.

    If I hit "No", then access fails.

    I next added the following line of code to the top of the aforementioned code block:

    ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);

    And new member function:

    public bool AcceptAllCertifications(
    	object sender, 
    	System.Security.Cryptography.X509Certificates.X509Certificate certification, 
    	System.Security.Cryptography.X509Certificates.X509Chain chain, 
    	System.Net.Security.SslPolicyErrors sslPolicyErrors
    	return true;

    By monitoring the value within parameter System.Net.Security.SslPolicyErrors sslPolicyErrors, it is returning:

    RemoteCertificateNameMismatch | RemoteCertificateChainErrors

    What does this mean, and what steps are needed to correct my Basic HTTP-auth problem so that these SSL Policy Errors do not occur?


    Jeff in Seattle

    Thursday, April 19, 2012 3:11 PM

All replies

  • Did you try to access the web server via URL with "hostname=preview.-----.com"? If not, your client-side will reject the certificate.

    Opening with Fiddler2 works because when you choose to inspect the request there, it has to replace the certificate with a self generated one anyway. And the certificate generated by Fiddler2 should match the hostname.

    After you've applied the validation callback the error should disappear, but I'll advise you to change the code to use the one provided here, or you just dropped one of the points of having a "real" certificate for SSL.

    Friday, April 20, 2012 2:53 AM
  • Hi

    Thank you for your reply

    I called my service with using this URL: https://qa-svc------1.elb.amazonaws.com/User/authenticate

    And I included in with the body of the request: hostname=preview.-----.com

    hostname	preview.-----.com
    username	jeff@------.com
    password	********
    user_type	TANGO

    However, the System.Net.Security.SslPolicyErrors sslPolicyErrors remained the same.

    I will review and implement your referenced code.


    Jeff in Seattle

    Jeff in Seattle

    Saturday, April 21, 2012 12:21 AM
  • The sslPolicyErrors is set by upper chain of SSL validation, so you can have a say on what kind of validation errors to ignore.

    For example, in the example code I was pointing to, the function checks to see if there's error in CertificateNameDismatch. If there are then check to see the current zone of request, if the request is to Localhost or an Intranet host, just ignore it.

    I see you also have certificate chain error. The error is because you certificate has already expired:

    EXPIRES: 9/23/2011 4:59:59 PM

    You may want to renew the certificate before this is going to production. In the meanwhile, comment out the "return false" after check for "SslPolicyErrors.RemoteCertificateChainErrors".

    • Edited by cheong00 Saturday, April 21, 2012 2:11 AM
    Saturday, April 21, 2012 2:11 AM