Discuss this help topic in SecureBlackbox Forum

Validate SSL (HTTPS) certificate

Prior to reading this article, we recommend you to get familiar with general principles of certificate validation described here.

When connecting to an SSL endpoint, it is a must to validate the server certificate. Note that all security offered by the SSL/TLS protocol is compromised if the certificate is not validated properly, and its trust level is not established.

All SSL-capable SecureBlackbox components return server certificates via their OnCertificateValidate event, where you are expected to return the validation result. TLS server will often send you a chain of certificates, each one returned by an independent OnCertificateValidate event invocation.

If you use TElX509CertificateValidator component for validating SSL/TLS certificates (we highly recommend you to do so), all intermediate CA and root certificates will be validated anyway within the general chain validation procedure. Therefore, you may ignore all OnCertificateValidate invocations except the one reporting the server endpoint certificate. A typical OnCertificateValidate event handler will have the following look:


private void SecureClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate Certificate, ref bool Validate)
{
  TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
  int Reason = 0;

  if ((Certificate.Chain == null) || (Certificate.Chain.get_Certificates(0) == Certificate))
  {
    CertificateValidator.ValidateForSSL(Certificate,
    SecureClient.RemoteHost, // server address
    SecureClient.RemoteIP, // server IP
    TSBHostRole.hrServer,
    null, // no additional certificates
    true, // validating the whole chain
    DateTime.UtcNow, // validating it now
    ref Validity,
    ref Reason
    );
    Validate = (Validity == TSBCertificateValidity.cvOk);
  }
  else
  {
    Validate = true; // skipping any intermediate and root certificates
  }
}

How To articles about TElX509CertificateValidator

Discuss this help topic in SecureBlackbox Forum