.NET Framework - .Net: SSL/TLS and Certificate Pinning

Asked By Jeffrey Walton on 30-Dec-11 02:07 PM
Hi All,

Is anyone aware of techniques to pin a SSL/TLS Certificate in .Net?
Pinning is accepting *only* a known certificate (for example, a
certificate issued to Example.com *and* with thumb print NNNN...NNNN).

I found Jan Tielen's "Consuming Webservices over HTTPS (SSL)" (http://
weblogs.asp.net/jan/archive/2003/12/04/41154.aspx), which shows how to
use System.Net.ICertificatePolicy and CheckValidationResult on a
Mobile Client (I believe it will extend to desktops and servers). But
I am not sure if its Microsoft's 'best practice' for pinning.

Jeff




Arne_Vajhøj replied to Jeffrey Walton on 30-Dec-11 02:53 PM
If you want client to check server certificate
then ServicePointManager.ServerCertificateValidationCallback
is an option.

Arne
Arne_Vajhøj replied to Arne_Vajhøj on 30-Dec-11 02:55 PM
Example:

using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

namespace E
{
public class MainClass

{
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback =
MyCheck;
WebRequest wr = WebRequest.Create("https://arne/");
string html = new
System.IO.StreamReader(wr.GetResponse().GetResponseStream()).ReadToEnd();
Console.WriteLine(html);
}
public static bool MyCheck(object sender, X509Certificate
certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
Console.WriteLine("Name = " + certificate.Subject);
Console.WriteLine("Effective = " +
certificate.GetEffectiveDateString());
Console.WriteLine("Expiration = " +
certificate.GetExpirationDateString());
Console.WriteLine("Issuer = " + certificate.Issuer);
return true;
}
}
}

Arne
Jeffrey Walton replied to Arne_Vajhøj on 30-Dec-11 04:42 PM
nCallback =3D
rne/");
ate
bject);
Issuer);
Thanks Arne. I appreciate the code.

Jeff
Jeffrey Walton replied to Jeffrey Walton on 30-Dec-11 04:42 PM
In case anyone wants to tug on Microsoft's ear:
http://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/2=
482344-net-framework-ssl-tls-and-certificate-pinning
Arne_Vajhøj replied to Jeffrey Walton on 30-Dec-11 04:46 PM
Using ServicePointManager.ServerCertificateValidationCallback is
not that difficult.

Arne