EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElSecureClient - Validating the server certificate

Posted: 03/31/2009 06:02:45
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am using ElSecureClient. When the SSL handshake happens i receive a cert from the server. To avoid MITM (Man in the middle Attack) how do i find out if the Issuer of the Certificate is actually trusted?
I loaded up the Windows System Store (ROOT trust store) into a ElCustomCertStorage object, and i tried to use the GetIssuerCertificate() by passing the ElCertificate.Object.
First of all, the application abruplty terminates when the application tries to close. Then it tries to delete the first certificate in my cert store.
When i call the GetIssuerCertificate() method it throws an error:

Access Violation at address .... in module BASE~1.DLL.

I am using the ActiveX version.
Posted: 03/31/2009 06:35:36
by Eugene Mayevski (Team)

Thank you for the report.

I have passed it to the helpdesk for evaluation/fixing.

Sincerely yours
Eugene Mayevski
Posted: 03/31/2009 06:46:35
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I would like to see if this works in the .NET version. While i do that, do you know if this is going to work there?
Am i taking the right approach?
Posted: 03/31/2009 07:24:29
by Eugene Mayevski (Team)

You need to build the complete certificate chain up to the root, and this might include more than one CA certificate.

So you need to take the following steps:

1) Check if the certificate you've received is present in Windows Certificate Storage, Trusted Publishers store. If the certificate has been trusted by the user, you don't need to perform complete validation (just check integrity of the received certificate). You might still need to check expiration and revocation of the certificate.
2) try to build the certificate chain from the certificates you received from the server if the server has sent more than 1 certificate.
3) for the topmost certificate in the chain, search for it's CA certificate in trusted certificates. This includes Windows Certificate Storage and it's CA and ROOT stores.
4) repeat step 3 until you get to root CA or until you can't find the next CA. Act according to the result of the search.

Sincerely yours
Eugene Mayevski
Posted: 03/31/2009 07:35:21
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

Thanks for the prompt reply Eugene.
Is there a method/function i cn call which will check if the certificate i received is in the trusted store?
Posted: 03/31/2009 07:55:03
by Eugene Mayevski (Team)

Not directly. There are search mechanisms built into ElCustomCertStorage, and you can use them to find the certificate which corresponds the one you have.

Sincerely yours
Eugene Mayevski
Posted: 04/02/2009 07:44:20
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

there is a ticket open for this. is there a timeline for the fix?
Posted: 04/02/2009 07:50:03
by Ken Ivanov (Team)

Yes. The fix will go to the upcoming SecureBlackbox build update (there's no exact date estimations at the moment, but I suppose that we will make it available within two weeks).



Topic viewed 1698 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!