EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Possible to ignore the Hostname In ValidateForSSL?

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 12/21/2015 13:32:06
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Is it possible to disable hostname validation when calling TElX509CertificateValidator.ValidateForSSL()?

I'm trying to send a request to a server where the hostname on their certificate doesn't match the actual hostname. If this isn't possible, can you suggest another workaround?

The handshake fails with the error code, Identity Mismatch: Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured, or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged.

Posted: 12/21/2015 13:42:17
by Eugene Mayevski (Team)

Just don't use ValidateForSSL. Use Validate instead, and additionally inspect the KeyUsage and ExtKeyUsage of the presented certificate (this is what ValidateForSSL does besides checking the host names).

Sincerely yours
Eugene Mayevski
Posted: 12/21/2015 14:56:57
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Thanks for the quick response Eugene!

I tried calling Validate instead, but that fails with reason code 64: Issuer (CA) certificate was found but it's key usage fields don't allow use of this certificate for signing other certificates.

Is there a way to ignore that check? Do I need to add this as a trusted certificate or something along those lines?
Posted: 12/21/2015 15:15:00
by Vsevolod Ievgiienko (Team)

You can set TElX509CertificateValidator.IgnoreSSLKeyUsage to 'true' to validate this problematic certificate correctly: https://www.eldos.com/documentation/sb...usage.html
Posted: 12/21/2015 15:26:25
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Hi Vsevolod,
I set IgnoreSSLKeyUsage to True, but the validation is still failing with reason code 64. Are there any other related setting that may also need to be changed?

Posted: 12/21/2015 16:08:00
by Vsevolod Ievgiienko (Team)

Please try to turn on TElX509CertificateValidator.IgnoreCAKeyUsage instead.
Posted: 12/21/2015 16:23:08
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

I have IgnoreSSLKeyUsage and IgnoreCAKeyUsage both set to true, but the validation still returns 64.

Any other ideas?
Posted: 12/21/2015 17:38:14
by Ken Ivanov (Team)

Hi Jesse,

Thanks. As a final dash, please try setting IgnoreCABasicConstraints to true. This most likely will help. Please keep IgnoreCAKeyUsage and IgnoreSSLKeyUsage set.

If it doesn't help, please try enabling the rest of IgnoreXXX properties of the validator component (IgnoreRevocationKeyUsage, IgnoreBadOCSPChains, IgnoreCANameConstraints).

Once you've found a combination that makes the validation work for you, please try disabling IgnoreXXX properties one by one to find the exact one that affects the result. Leave that one enabled and switch the remaining ones off.
Posted: 12/21/2015 19:07:40
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Hi Guys,
I set IgnoreCABasicConstraints to true and the validation started failing with reason code 128: Certificate Revocation List for this certificate could not be retrieved and/or validated.

I experimented with the other IgnoreXXXX properties, but was able to get this to work by setting:

IgnoreCABasicConstraints = true
CheckCRL = false

What is actually being validated with this configuration? I set the rest of the IgnoreXXXX settings back to false.

Posted: 12/21/2015 19:10:57
by Eugene Mayevski (Team)

OCSP is *probably* checked.

Validation includes signature checking, validity time checking, key usage checking (for CA certificates and certificates used to sign CRLs and OCSP responses), checking other extensions (mainly for CA certificates), then building and validating the certificate tree (it's a tree, not a chain in fact), verifying CRLs and OCSP responses whenever possible. ValidateForXXX methods additionally perform checks specific to this XXX.

Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.



Topic viewed 4224 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!