locked
Windows store apps TLS/SSL connection failure : A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider,What actually problem is ?

    Question

  • I am trying to connect to a server on a TLS port using  TLS/SSL support of windows Strop App socket APIS.

    tcpSocket->ConnectAsync( endpointPair,Windows::Networking::Sockets::SocketProtectionLevel::Ssl)

    Here in endpoint pair remote ip and por support ssl connection.

    HRESULT:0x800B0109= Connect failed with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

    In a previous desktop application i have have been able to establish a connection with a same server port using SSL connection using the third pary library OpenSSL.

    My question it,whether the  problem is in client side or server side.

    And how to fix this problem?

    Thanx

    Monday, April 29, 2013 2:13 AM

All replies

  • My assumption is that the server I am trying to connect using a Self assigned Certificate instead of a authorized Certificate. So in the client end servers Certificate verification failed  as it don't find servers root CA in the trusted list..

    So , My guess is I have to add the server root CA(which is self created not from authority) in my applications trusted root certificates List.

    Package.appxmanifest -> declaration ->Available declaration ->certificate ->(add servers root CA) could be solution.

    As I don't have my servers certificate right now I don't test it.

    Can anyone explain me  if I am right or wrong?

     


    Monday, April 29, 2013 8:16 AM
  • I will involve more experts to investigate it.

     

    Best regards,

    Jesse


    Jesse Jiang
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Tuesday, April 30, 2013 4:13 AM
  • hi,

    I added server root CA(its a self signed) in my trusted CA
    list.

    then the previous error has gone.

    But it showing other
    Errors

    HRESULT:0x800B010F
     = Connect failed with error: The
    certificate's CN name does not match the passed value

    In this case
    from where the passed value comes

    I am not sure about this error
    should the domain name of a
    servers and its  certificates CN name should be similar.

    If
    so,Should client  check it while verification?

    I need to know
    what  microsoft internaly do for the verification
    of server certificate.I will prepare my server certificate accrodingly.

    Is

    there any document where i can see the criteria for which windows store
    app accept the servers certiicate ?
    Friday, May 3, 2013 7:26 AM
  • Hi there,

    check: http://answers.flyppdevportal.com/categories/metro/nativecode.aspx?ID=296f23d3-6143-4b9f-b92b-4a866fddf4bd

    "It is by-design that Metro style apps will fail an SSL check when the CN on the cert does not match the hostname.  Is it a security feature, and there is no workaround to allow multiple hostnames to resolve to the CN on the cert. "

    and also check comments on this post for more useful info: http://social.msdn.microsoft.com/Forums/en-US/winappswithcsharp/thread/18adca2e-7e8c-40d0-a82a-9cbfd529097a

    and t-shooting your cert: http://blogs.msdn.com/b/jpsanders/archive/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx

    Regards,

    Jenny


    Monday, May 6, 2013 8:49 AM
  • Hi,


    It's possible to ignore server certificate errors with StreamSocket.

    This is how I do it in my C# app. You can follow a similar path in C++.

    try
    {
    	await socket.ConnectAsync(new HostName("myhost.com"),
    		"443", SocketProtectionLevel.Ssl);
    }
    catch (Exception e)
    {
    	if (socket.Information.ServerCertificateErrorSeverity == SocketSslErrorSeverity.Ignorable && socket.Information.ServerCertificateErrors.Count > 0)
    	{
    		socket.Control.IgnorableServerCertificateErrors.Clear();
    		foreach (ChainValidationResult ignorableError in socket.Information.ServerCertificateErrors)
    		{
    			socket.Control.IgnorableServerCertificateErrors.Add(ignorableError);
    		}
                    await socket.ConnectAsync(new HostName("myhost.com", "443", SocketProtectionLevel.Ssl);	}
    }

    Hope this helps.


    Regards


    Monday, October 6, 2014 6:29 AM