EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SecureBlackbox said a sever is self -signed which is not.

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#33428
Posted: 05/26/2015 22:34:14
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

SecureBlackbox said a non-self-signed certificate is self-signed. The server is: https://atlas-a.wbx2.com/admin/api/v1/.
We are verify if the server's certificate is self-signed by open the above address in Chrome.


I copy and code snippet and upload a compilation project.
Code
            HttpClient = new SBHTTPSClient.TElHTTPSClient();

            HttpClient.OnCertificateValidate +=HttpClient_OnCertificateValidate;

            var responseStream = new MemoryStream();
            HttpClient.OutputStream = responseStream;
            HttpClient.Versions = SBSSLConstants.Unit.sbTLS1;
            int statusCode = await HttpClient.GetAsync("https://atlas-a.wbx2.com/admin/api/v1/");

            responseStream.Position = 0;
            using (var reader = new StreamReader(responseStream, Encoding.UTF8))
            {
                string response = reader.ReadToEnd();
            }





        void HttpClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref SBUtils.TSBBoolean Validate)
        {
            int reason = 0;
            TSBCertificateValidity validity = X509Certificate.Chain.Validate(ref reason, DateTime.Now);
            if (validity == TSBCertificateValidity.cvOk)
            {
                Validate = true;
            }
            else if ( validity == TSBCertificateValidity.cvSelfSigned )
            {

            }
            else
            {
                Debug.WriteLine("invalid cert");
            }

        }
#33430
Posted: 05/26/2015 23:53:29
by Eugene Mayevski (EldoS Corp.)

Your implementation of OnCertificateValidate event handler checks whatever certificate is passed. When the server sends several certificates one by one, the logic in the handler should be more sophisticated in order to check only the end-entity certificate.

Please check our samples for how the correct code should look like (I am sorry I can't copy the code for you as I have no access to the code at the moment).

On a side note it would help a lot if you used CODE button (or write [ CODE ] and [ /CODE ] respectively by hand) to mark the beginning and the end of the code blocks in your messages. This would enable syntax highlighting and line numbering on the code and make it easier for analysis.


Sincerely yours
Eugene Mayevski
#33432
Posted: 05/27/2015 00:47:42
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

Thanks Eugene. I will do that.
#33434
Posted: 05/27/2015 02:17:30
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

Hi Eugene,
I run the following WinRT certificate validation sample. The certificate validation always fails when I connect to https://www.eldos.com or https://www.microsoft.com. Can you help to check if this sample code is right?

The full path of the sample code is:
EldoS\SecureBlackbox.NET\Samples\C#\HTTPBlackbox\WindowsRT\Client\HTTPGet
#33435
Posted: 05/27/2015 02:33:49
by Ken Ivanov (EldoS Corp.)

Hi Fanglin,

There's a mistake in the WinRT sample. While you should normally pass the host name or the IP address of the destination server to the ValidateForSSL() call, the sample actually doesn't do that (it passes an empty string instead). Therefore identity validation fails, leading to general validation failure.

Please alter the sample to pass the web server host name (e.g. "www.microsoft.com") as a second parameter to the ValidateForSSL() call. This will solve the problem.

We are sorry for the inconvenience.

Ken
#33450
Posted: 05/27/2015 21:18:27
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

Thanks Ken.
I tried your suggestion. The WinRT Http Get sample code works for "www.microsoft.com", but it not works for "www.eldos.com", "atlas-a.wbx2.com" and "www.google.com".

Can you help me try these sites?
#33451
Posted: 05/27/2015 21:18:45
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

The full path of the sample code is:
EldoS\SecureBlackbox.NET\Samples\C#\HTTPBlackbox\WindowsRT\Client\HTTPGet
#33452
Posted: 05/28/2015 00:55:11
by Ken Ivanov (EldoS Corp.)

Hi Fanglin,

What exactly validation reasons are you getting when connecting to those services (the number shown after the 'reason: ' line)?

Ken
#33453
Posted: 05/28/2015 01:04:25
by Fanglin Liu (Priority Standard support level)
Joined: 05/14/2015
Posts: 33

Hi Ken,

for "www.eldos.com", the reason is 272.

-Fanglin
#33455
Posted: 05/28/2015 03:04:35
by Ken Ivanov (EldoS Corp.)

Indeed you are right. We've run some checks with our WinRT devices and can now confirm that the issue does exist. It looks like the validator component can't acquire certain trusted root certificates from the system, apparently due to their key lengths. As a result, chains containing those certificates fail to be validated (the others are validated fine). The problem is only specific to WinRT set of assemblies and is caused by a wrong Windows CSP being utilized to access the keys.

We are working on a proper fix at the moment, which will go to the future SecureBlackbox update. As it may take some time for us to prepare an official update, we can compile a custom set of assemblies for you once the fix is ready. Just let us know if you are OK with that.

Ken
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 1233 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!