locked
What are those ignorable certificate errors after the SSL connection with StreamSocket to the remote server failed?

    Question

  • Hi, dear all,

     

    Win8.1 has provided the ability to APPs to ignore some SSL certificate errors. Jeff Sanders has made an example to do this via HttpClient with C#. But it is the same in C++ with StreamSocket.

    When we make SSL connection to the remote server with StreamSocket, the connection might fail with SSL certificate errors. If the ServerCertificateErrorSeverity is ignorable, it means that there are certificate errors that could be ignored. Thus we could add it into the vector StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Later we could re-connect to the remote server again with the same StreamSocket.

    The ignorable errors are actually a vector of ChainValidationResult enumeration.

     

    What I am not clear is that:

    1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

    2. Are all those enumerations in ChainValidationResult are ignorable?

    3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

    4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors? 

     

    Thanks!

    Friday, June 6, 2014 11:04 AM

Answers

  • Hi B0L,

    Here are the answers to your above questions, my answers are inline:

    1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

    [Prashant]: Yes that is correct. If you try to add/ append a ChainValidationResult::<value> where the value is not ignorable, then the Append (Add in C#) call will throw "The parameter is incorrect" exception.

    2. Are all those enumerations in ChainValidationResult are ignorable?

    [Prashant]: No, not all errors are ignorable.

    3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

    [Prashant]: You cannot add "OtherErrors" to the IgnorableServerCertificateErrors collection. Doing so throws an exception saying that "The parameter is incorrect". OtherErrors is really not a server certificate validation error and could mean other type of errors such as access denied due to weird registry issues or some unrelated errors that don't map to Cryptography errors.

    4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors? 

    [Prashant]: There doesn't appear to be any external documentation stating what is ignorable v/s not ignorable (other than doing the Add/Append yourself and see which throws the exception :)...), but here's the complete list of what is ignorable v/s not-ignorable:

    Ignorable:
    ==========
    "Untrusted", "Expired", "IncompleteChain", "WrongUsage", "InvalidName", "RevocationInformationMissing", "RevocationFailure"

    Not-Ignorable:
    ===============
    "Success", "Revoked", "InvalidSignature", "InvalidCertificateAuthorityPolicy", "BasicConstraintsError", "UnknownCriticalExtension", "OtherErrors"

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog


    Monday, June 9, 2014 9:54 PM
    Moderator

All replies

  • Hi B0L,

    I understand your questions and am researching into your questions. I will get back to you sometime next week.

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Saturday, June 7, 2014 1:31 AM
    Moderator
  • Hi, Prashant, I really appreciate your replies in my recent posts! Looking forward to the good news!
    Monday, June 9, 2014 5:39 AM
  • Hi B0L,

    Here are the answers to your above questions, my answers are inline:

    1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

    [Prashant]: Yes that is correct. If you try to add/ append a ChainValidationResult::<value> where the value is not ignorable, then the Append (Add in C#) call will throw "The parameter is incorrect" exception.

    2. Are all those enumerations in ChainValidationResult are ignorable?

    [Prashant]: No, not all errors are ignorable.

    3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

    [Prashant]: You cannot add "OtherErrors" to the IgnorableServerCertificateErrors collection. Doing so throws an exception saying that "The parameter is incorrect". OtherErrors is really not a server certificate validation error and could mean other type of errors such as access denied due to weird registry issues or some unrelated errors that don't map to Cryptography errors.

    4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors? 

    [Prashant]: There doesn't appear to be any external documentation stating what is ignorable v/s not ignorable (other than doing the Add/Append yourself and see which throws the exception :)...), but here's the complete list of what is ignorable v/s not-ignorable:

    Ignorable:
    ==========
    "Untrusted", "Expired", "IncompleteChain", "WrongUsage", "InvalidName", "RevocationInformationMissing", "RevocationFailure"

    Not-Ignorable:
    ===============
    "Success", "Revoked", "InvalidSignature", "InvalidCertificateAuthorityPolicy", "BasicConstraintsError", "UnknownCriticalExtension", "OtherErrors"

    Thanks,

    Prashant


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog


    Monday, June 9, 2014 9:54 PM
    Moderator
  • Hi, Prashant, thank you very much. I think your info is much better and clearer than MSDN! :)
    Tuesday, June 10, 2014 1:06 AM