none
System.Net.WebClient how to identify that ssl connection requires client certificate? RRS feed

  • Question

  • Hi,
    Is there any way to identify that ssl connection requires client certificate?

    Our case:
    Client-server application, 2 clients (1st using WinnHttp, 2nd System.Net.WebClient ).
    Server-side may work on IIS or Apache. For security needs we should support ssl with a client certificare, but non ssl connection should be supported as well.

    So we are not able to preconfigure clients and should understand whether client certificate is required on run-time.

    When we trying  to establish connection with a help of System.Net.WebClient (client ceritificate required).
    System.Net.WebException with a status WebExceptionStatus. ProtocolError will be thrown. According to msdn (http://msdn.microsoft.com/en-us/library/system.net.webexceptionstatus.aspx) such exception may be thrown during protocol level error like an 401 Access denied.
    However in our case HTTP status is 403. This error is too general (Forbiden) and doesn’t provide us information that client certificate is required.

    We need clarification if there is a way to neatly understand that connection requires client certificate.?

    Additional:
    In case Apache http server is used System.Net.WebClient will throw System.Net.WebException with a status  WebExceptionStatus.SecureChannelFailure.

    In case on client side WinHTTP is used for both Apache & IIS servers we will get appropriate error code ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED (12044).

    can anyone help?

    P.S. I reposted this question after i got MSDN subscription in order to get guaranteed response in 2 days.

    Sunday, August 18, 2013 2:15 PM

Answers

  • Hi Nick,

    It seems there is some synchronizing issue about your subscription status. Did you updated the subscription membership recently? I think the internal system might not been able to reflect the change timely. Sorry for the late response here.

    Regarding on the issue you posted, my understanding is that if we need to find a way to programmtically detect if the server-side require client SSL cert, we need to take a look at the HTTP request/response pairs exchanged between client and server (by using some HTTP debugging tools such as fiddler, wireshark...). We can lookup the headers and respone content to see if there is any header value or error text from which we can get some consistent evidence for detection. And if it exists, we can then use HttpWebRequest to access the endpoint and check the raw response headers and content to find certain values for detection.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Thursday, August 22, 2013 10:26 AM
    Moderator

All replies

  • Hi,
    Is there any way to identify that ssl connection requires client certificate?

    Our case:
    Client-server application, 2 clients (1st using WinnHttp, 2nd System.Net.WebClient ).
    Server-side may work on IIS or Apache. For security needs we should support ssl with a client certificare, but non ssl connection should be supported as well.

    So we are not able to preconfigure clients and should understand whether client certificate is required on run-time.

    When we trying  to establish connection with a help of System.Net.WebClient (client ceritificate required).
     System.Net.WebException with a status WebExceptionStatus. ProtocolError will be thrown. According to msdn (http://msdn.microsoft.com/en-us/library/system.net.webexceptionstatus.aspx) such exception may be thrown during protocol level error like an 401 Access denied.
    However in our case HTTP status is 403. This error is too general (Forbiden) and doesn’t provide us information that client certificate is required.

    We need clarification if there is a way to neatly understand that connection requires client certificate.?

    Additional:
    In case Apache http server is used System.Net.WebClient will throw System.Net.WebException with a status  WebExceptionStatus.SecureChannelFailure.

    In case on client side WinHTTP is used for both Apache & IIS servers we will get appropriate error code ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED (12044).

    can anyone help?
    Wednesday, August 14, 2013 7:50 PM
  • Guaranteed reply in 2 days?
    Wednesday, August 21, 2013 1:10 PM
  • Hi Nick,

    It seems there is some synchronizing issue about your subscription status. Did you updated the subscription membership recently? I think the internal system might not been able to reflect the change timely. Sorry for the late response here.

    Regarding on the issue you posted, my understanding is that if we need to find a way to programmtically detect if the server-side require client SSL cert, we need to take a look at the HTTP request/response pairs exchanged between client and server (by using some HTTP debugging tools such as fiddler, wireshark...). We can lookup the headers and respone content to see if there is any header value or error text from which we can get some consistent evidence for detection. And if it exists, we can then use HttpWebRequest to access the endpoint and check the raw response headers and content to find certain values for detection.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Thursday, August 22, 2013 10:26 AM
    Moderator