Problem using client certificate with wrong CN name

  • Thread starter Thread starter Carlo Folini
  • Start date Start date
C

Carlo Folini

Hi,
I hava an assembly embedded in IE.
With this assembly I read with no problem a file (GET)
from the same site.

When I use SSL I get an error because the CN name in the
certificate is different from the server name.
Implementing the ICertificatePolicy I can get rid of the
error.

The problem with this approach is that the assembly runs
with low privilege (local intranet), and implementing
ICertificatePolicy requires full trust.
I think that there isn't a solution (at least
until "ICertificatePolicy" related class will be
implemented in managed code).

I read on documentation that is possible to change the
certificate policy behavior by setting a value in the
assembly configuration file.

http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/cpguide/html/cpconhostingremoteobjectsininternetinformat
ionservicesiis.asp?frame=true&hidetoc=true

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<settings>
<servicePointManager
checkCertificateName="true"
/>
</settings>
</system.net>
</configuration>

Obviously this seems not to work (I tried also setting the
value to false).

Can someone clarify this problem?

Thanks
CArlo FOlini
 
I think there are 2 possible solutions:
1) allow your assembly to run in full trust by creating for example a code
group or a specific key (sign your assembly by giving it a strong name)
2) add the certificate to the certificate store so the certificate will be
trusted
 
Hi,
the solutions aren't applicable for my case.
1) to operate on the originating server I have to let any assembly to
have full trust. So essentially I'm throwing the .net security
mecanism away.
2) having to deal with a client assembly, I must add the certificate
to every client that uses the assembly (~4k people).

Any other solution?
Any glue on the assembly configuration file?

Carlo
 
If your clients are in an active directory or something like that, you can
propagate a specific security policy (e.g. code group for your app.). Maybe
that's a solution...
 
Hi,
but doing that way you are again throwing away all the
security mechanism of the framework.
Having a team of developer making assemblies this way I
have to give all developers the ability to act on full
trust.

Any glue on the application configuration file?
Is it a viable way?

Thanks
Carlo
-----Original Message-----
If your clients are in an active directory or something like that, you can
propagate a specific security policy (e.g. code group for your app.). Maybe
that's a solution...
 
Hi Carlo,

Have you tried this setting?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.net>
<settings>
<servicePointManager
checkCertificateName="false"
checkCertificateRevocationList="false"
/>
</settings>
</system.net>
</configuration>

If this doesn't take effect, please be free to reply this thread to let us
know and give us a small repro sample.
Thanks!



Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.
 
Back
Top