EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Possible to ignore the Hostname In ValidateForSSL?

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 12/21/2015 13:32:06
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Is it possible to disable hostname validation when calling TElX509CertificateValidator.ValidateForSSL()?

I'm trying to send a request to a server where the hostname on their certificate doesn't match the actual hostname. If this isn't possible, can you suggest another workaround?

The handshake fails with the error code, Identity Mismatch: Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured, or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged.

Posted: 12/21/2015 13:42:17
by Eugene Mayevski (EldoS Corp.)

Just don't use ValidateForSSL. Use Validate instead, and additionally inspect the KeyUsage and ExtKeyUsage of the presented certificate (this is what ValidateForSSL does besides checking the host names).

Sincerely yours
Eugene Mayevski
Posted: 12/21/2015 14:56:57
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Thanks for the quick response Eugene!

I tried calling Validate instead, but that fails with reason code 64: Issuer (CA) certificate was found but it's key usage fields don't allow use of this certificate for signing other certificates.

Is there a way to ignore that check? Do I need to add this as a trusted certificate or something along those lines?
Posted: 12/21/2015 15:15:00
by Vsevolod Ievgiienko (EldoS Corp.)

You can set TElX509CertificateValidator.IgnoreSSLKeyUsage to 'true' to validate this problematic certificate correctly: https://www.eldos.com/documentation/sb...usage.html
Posted: 12/21/2015 15:26:25
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Hi Vsevolod,
I set IgnoreSSLKeyUsage to True, but the validation is still failing with reason code 64. Are there any other related setting that may also need to be changed?

Posted: 12/21/2015 16:08:00
by Vsevolod Ievgiienko (EldoS Corp.)

Please try to turn on TElX509CertificateValidator.IgnoreCAKeyUsage instead.
Posted: 12/21/2015 16:23:08
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

I have IgnoreSSLKeyUsage and IgnoreCAKeyUsage both set to true, but the validation still returns 64.

Any other ideas?
Posted: 12/21/2015 17:38:14
by Ken Ivanov (EldoS Corp.)

Hi Jesse,

Thanks. As a final dash, please try setting IgnoreCABasicConstraints to true. This most likely will help. Please keep IgnoreCAKeyUsage and IgnoreSSLKeyUsage set.

If it doesn't help, please try enabling the rest of IgnoreXXX properties of the validator component (IgnoreRevocationKeyUsage, IgnoreBadOCSPChains, IgnoreCANameConstraints).

Once you've found a combination that makes the validation work for you, please try disabling IgnoreXXX properties one by one to find the exact one that affects the result. Leave that one enabled and switch the remaining ones off.
Posted: 12/21/2015 19:07:40
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Hi Guys,
I set IgnoreCABasicConstraints to true and the validation started failing with reason code 128: Certificate Revocation List for this certificate could not be retrieved and/or validated.

I experimented with the other IgnoreXXXX properties, but was able to get this to work by setting:

IgnoreCABasicConstraints = true
CheckCRL = false

What is actually being validated with this configuration? I set the rest of the IgnoreXXXX settings back to false.

Posted: 12/21/2015 19:10:57
by Eugene Mayevski (EldoS Corp.)

OCSP is *probably* checked.

Validation includes signature checking, validity time checking, key usage checking (for CA certificates and certificates used to sign CRLs and OCSP responses), checking other extensions (mainly for CA certificates), then building and validating the certificate tree (it's a tree, not a chain in fact), verifying CRLs and OCSP responses whenever possible. ValidateForXXX methods additionally perform checks specific to this XXX.

Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.



Topic viewed 4036 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!