EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Windows Phone - certificate validation

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
Posted: 12/19/2013 04:32:08
by Andrej Tozon (Basic support level)
Joined: 12/19/2013
Posts: 2


I'm evaluating SecureBlackbox for the purpose of protecting SSL communication (HTTPS) between Windows Phone client and the server against MitM attacks.

My initial attempts were similar to this thread (https://www.eldos.com/forum/read.php?FID=7&TID=3994&MID=22013&sphrase_id=450502#message22013) - to validate certificate before initiating the connection, but I got stuck on getting the CA certificate.

I was able to capture server certificates on OnCertificateValidate event and store them to file (TElMemoryCertStorage.SaveToBufferPKCS7 and successfully restore the storage later when needed (). However, I'm getting the same validation error (reason 32) and the last part of the answer is somewhat unclear to me (using TElWinCertStorage) - should I be capturing all certificates of Windows (desktop) and carry them over to Windows Phone?

Is there any better/more recommended way of protecting against MitM attacks on WP using SecureBlackbox or would this be the right approach? The simplest example I need to protect from is setting Fiddler as a proxy on WP and install its certificate to decrypt HTTPS traffic.

Posted: 12/19/2013 04:39:58
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Error code 32 stands for SBX509.Unit.vrUnknownCA. It means that TElX509CertificateValidator failed to find CA certificate needed to validate full server's certificates chain.

should I be capturing all certificates of Windows (desktop) and carry them over to Windows Phone?

You should capture only the missing CA certificate and pass it to TElX509CertificateValidator.AddTrustedCertificates.
Posted: 12/19/2013 16:10:44
by Andrej Tozon (Basic support level)
Joined: 12/19/2013
Posts: 2

Thank you, I've now managed to validate certificates in OnCertificateValidate event (by using a missing Root certificate AND setting validator's CheckCRL and CheckOCSP properties to false.

However... setting phone proxy to PC where Fiddler is listening shows the same result, all validation is passing without Fiddler certificate showing anywhere in the chain (as it does in the browser). Any idea of what I may be doing wrong?
Posted: 12/20/2013 01:34:39
by Vsevolod Ievgiienko (Team)

TElHTTPSClient doesn't use system proxy settings. You should adjust proxy using its properties: 1) UseHTTPProxy with HTTPProxy* for HTTP proxies and 2) UseWebTunneling with WebTunnel* for HTTPS proxy.



Topic viewed 2001 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!