locked
Can a client take control on TLS certificate verification process in WinRT?

    Question

  • WinRT provides  two API for TLS connection:

    ConnectAsync(remoteHost,SocketProtectionLevel)

    UpgradeToSslAsync(SocketProtectionLevel,remoteAddress))

    Both the API internally verify the server certificate.Is there any way to provide the certificate to  the client so that application developer can verify the certificate manual way.

    Or is there any way to get the server certificate during TLS connection.

     I am using  visual studio 2012 with SDK 8.0.

    • Edited by Fahad_Ahmed Monday, March 10, 2014 7:04 AM change information
    Monday, March 10, 2014 3:52 AM

Answers

  • First of all, read The Most Dangerous Code in the World; their analysis is that many apps, when they override standard TLS/SSL security, in fact are too lenient and needlessly expose their customer's secrets. 

    To help reduce the security threat, coding guidelines at Microsoft are to always fail the SSL check first, examine the errors, display the errors to the user, and only then allow any kind of override.  And the default should be, "no, don't trust this site".

    That said, the Information class tells you about the server certificate that was returned.  If you want to control the SSL/TLS acceptance, you need to look at the 'control' class here.  You'll need to add just the one or two values you need to the IgnorableServerCertificateErrors vector.

    You can add to the security of the SSL/TLS connection by examining the returned server certificate; we also provide the ServerIntermediateCertificates so that you can build and validate a customer certificate chain with stricter security than the typical SSL/TLS session.

    Can I ask why you need to override the typical security?


    Network Developer Experience Team (Microsoft)

    Monday, March 10, 2014 5:47 PM

All replies

  • I get API reference for windows SDK 8.1.

    http://msdn.microsoft.com/en-US/library/windows/apps/windows.networking.sockets.streamsocketinformation

    That means i need to upgrade my SDK from 8.0 to 8.1 to get those functionality.

    But till not find any way to take total control of verification process during SSL connection to verify the certificate manually in client application .

    Monday, March 10, 2014 7:14 AM
  • First of all, read The Most Dangerous Code in the World; their analysis is that many apps, when they override standard TLS/SSL security, in fact are too lenient and needlessly expose their customer's secrets. 

    To help reduce the security threat, coding guidelines at Microsoft are to always fail the SSL check first, examine the errors, display the errors to the user, and only then allow any kind of override.  And the default should be, "no, don't trust this site".

    That said, the Information class tells you about the server certificate that was returned.  If you want to control the SSL/TLS acceptance, you need to look at the 'control' class here.  You'll need to add just the one or two values you need to the IgnorableServerCertificateErrors vector.

    You can add to the security of the SSL/TLS connection by examining the returned server certificate; we also provide the ServerIntermediateCertificates so that you can build and validate a customer certificate chain with stricter security than the typical SSL/TLS session.

    Can I ask why you need to override the typical security?


    Network Developer Experience Team (Microsoft)

    Monday, March 10, 2014 5:47 PM
  • Thanks for you reply .Its been a nice feature in 8.1 to provide a control in  IgnorableServerCertificateErrors  during ssl connection.

    Yes I do agree with you about the security of the application.I just want to check if it is possible to go for a customized certificate verification(like as openssl) rather than a standard verification process.

    IgnorableServerCertificateErrors  seems quite handy in this case.

    Thank you

    Tuesday, March 11, 2014 5:28 PM