EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElSecureClient - Validating the server certificate

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#9476
Posted: 03/31/2009 06:02:45
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am using ElSecureClient. When the SSL handshake happens i receive a cert from the server. To avoid MITM (Man in the middle Attack) how do i find out if the Issuer of the Certificate is actually trusted?
I loaded up the Windows System Store (ROOT trust store) into a ElCustomCertStorage object, and i tried to use the GetIssuerCertificate() by passing the ElCertificate.Object.
First of all, the application abruplty terminates when the application tries to close. Then it tries to delete the first certificate in my cert store.
When i call the GetIssuerCertificate() method it throws an error:

Access Violation at address .... in module BASE~1.DLL.

I am using the ActiveX version.
#9478
Posted: 03/31/2009 06:35:36
by Eugene Mayevski (EldoS Corp.)

Thank you for the report.

I have passed it to the helpdesk for evaluation/fixing.


Sincerely yours
Eugene Mayevski
#9479
Posted: 03/31/2009 06:46:35
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I would like to see if this works in the .NET version. While i do that, do you know if this is going to work there?
Am i taking the right approach?
#9482
Posted: 03/31/2009 07:24:29
by Eugene Mayevski (EldoS Corp.)

You need to build the complete certificate chain up to the root, and this might include more than one CA certificate.

So you need to take the following steps:

1) Check if the certificate you've received is present in Windows Certificate Storage, Trusted Publishers store. If the certificate has been trusted by the user, you don't need to perform complete validation (just check integrity of the received certificate). You might still need to check expiration and revocation of the certificate.
2) try to build the certificate chain from the certificates you received from the server if the server has sent more than 1 certificate.
3) for the topmost certificate in the chain, search for it's CA certificate in trusted certificates. This includes Windows Certificate Storage and it's CA and ROOT stores.
4) repeat step 3 until you get to root CA or until you can't find the next CA. Act according to the result of the search.


Sincerely yours
Eugene Mayevski
#9483
Posted: 03/31/2009 07:35:21
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

Thanks for the prompt reply Eugene.
Is there a method/function i cn call which will check if the certificate i received is in the trusted store?
#9485
Posted: 03/31/2009 07:55:03
by Eugene Mayevski (EldoS Corp.)

Not directly. There are search mechanisms built into ElCustomCertStorage, and you can use them to find the certificate which corresponds the one you have.


Sincerely yours
Eugene Mayevski
#9520
Posted: 04/02/2009 07:44:20
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

there is a ticket open for this. is there a timeline for the fix?
#9521
Posted: 04/02/2009 07:50:03
by Ken Ivanov (EldoS Corp.)

Yes. The fix will go to the upcoming SecureBlackbox build update (there's no exact date estimations at the moment, but I suppose that we will make it available within two weeks).
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 1519 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!