none
[UWP]Certificate chain validation RRS feed

  • Question

  • Hi,

    when we do a PostAsync/GetAsync using windows.web.http.httpclient, by default whether the system does Certificate chain validation? If any issues will i get responseMessage.RequestMessage.TransportInformation.ServerCertificateErrors (IncompleteChain) ? 

    or  do i need to manually validate the chain?

    var chain = await responseMessage.RequestMessage.TransportInformation.ServerCertificate.BuildChainAsync(null);

    ChainValidationResult validationResult = chain.Validate(new ChainValidationParameters() { CertificateChainPolicy = CertificateChainPolicy.Ssl, ServerDnsName = new HostName(responseMessage.RequestMessage.RequestUri.DnsSafeHost) });


    raja


    Friday, April 6, 2018 4:51 AM

Answers

  • Hi rajashanmugam,

    In your windows version 1511 OS, please check your certificate if it’s in “Trusted Root Certification Authorities”.

    Best Regards,

    Xavier


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by rajashanmugam Thursday, May 10, 2018 10:30 AM
    Monday, May 7, 2018 6:36 AM
    Moderator

All replies

  • Some useful pointers

    Yes, the HttpClient will always attempt to validate the server certificate. The security rules are approximately the ones that a browser would use

    If the certificate is invalid, you won't get a ReponseMessage! Instead, you'll have to use your original RequestMessage. This is because the TLS (SSL) transport is a lower networking layer than HTTP, and the connection will be terminated before any HTTP happens. Since there's no HTTP, there can't be an HTTP Response.

    You should essentially always pass in the HttpTransportationInformation.ServerIntermediateCertificates to the certificate.BuildChainAsync() call. IIRC ,the server might have access to certificates that you don't have access to. The reason is remembered from a conversation I had with an actual network security expert; if I'm wrong, it's because I misremembers, not because they were wrong :-)

    A great resource is The Most Dangerous Code in the World  . It's a very readable research paper on just how easy it is to write certificate code handling that's wrong, and just how many apps have made mistakes.

    Thursday, April 19, 2018 12:54 AM
  • Thanks for the information.

    I am behind a proxy(Zscaler) in enterprise network, to test i had used below code

    HttpClient client = new HttpClient(); //no filter

    var response= await client.GetAsync(new Uri("https://www.ssllabs.com/"));

    var chain = await responseMessage.RequestMessage.TransportInformation.ServerCertificate.BuildChainAsync(response.RequestMessage.TransportInformation.ServerIntermediateCertificates);

    ChainValidationResult validationResult = chain.Validate(new ChainValidationParameters() { CertificateChainPolicy = CertificateChainPolicy.Ssl, ServerDnsName = new HostName(responseMessage.RequestMessage.RequestUri.DnsSafeHost) });

    In windows version 1511, validationResult ->UnTrusted

    In Windows Version 1709, validationResult  -> success

    The validation result is different different OS version in same network behind proxy.  Is this the correct way of validating server certificate chain? Why it is behaving differently in different OS versions?


    raja

    Thursday, April 19, 2018 10:24 AM
  • Hi rajashanmugam,

    In your windows version 1511 OS, please check your certificate if it’s in “Trusted Root Certification Authorities”.

    Best Regards,

    Xavier


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by rajashanmugam Thursday, May 10, 2018 10:30 AM
    Monday, May 7, 2018 6:36 AM
    Moderator