Self Signed Certification SSL HTTPS
For those of us wanting to provide free applications it would be nice if the WP7 supported self signed certs or the very least a widely known free SSL authority.
Or at the very least add a free service to your accepted list of SSL authorities. Like cacert.org for instance.
Yay! SSL certs are free now-a-days so this isn't really as useful anymore, but still nice to have.
questions like that is best for stack overflow as it can help the entire community
Fernando Urkijo Cereceda commented
How can we access the handshake of the http client to check the certificate it's legit?
Ravi, this is for HttpClient, not WebView
By using WebView i can not able to continue to self-signed website, at least there should be some possibility to show conformation from user to continue, i'ts possible in IOS and Android, please provide some libraries or something to do it, really i am feeling bad on this.
socket.Information.ServerCertificate only available for "Windows Phone 8.1 [Windows Runtime apps only]", not available for "Windows Phone 8" or "Windows Phone 8.1 Silverlight App".
In Socket.Information.ServerCertificate , ServerCertificate property is available for WP8 not for WP8.1
In addition to the Mobile Device Management feature I mentioned below, there is another way to add a trusted CA to the trusted root CA list on the phone - please see this blog post: http://blogs.msdn.com/b/wsdevsol/archive/2014/06/05/including-self-signed-certificates-with-your-windows-runtime-based-windows-phone-8-1-apps.aspx
Once you add the enterprise CA to the trusted root CA list, your HTTPS requests should "just work" - you should not need to ignore any server errors or do the validation yourself.
[Windows Networking API team]
I am not suggesting that your app allow untrusted CAs - let me try to explain my recommendation part by part:
1. The OS has a list of root CAs that it trusts by default. In general, for self-signed cert scenarios, the enterprise CA will not be in this list. The recommended route to enable the self-signed cert scenario is for the enterprise to use the Mobile Device Management feature of Windows Phone and add the enterprise CA to the trusted CA list on the phone (See http://www.microsoft.com/en-us/download/details.aspx?id=42508)
2. Now, let’s assume the enterprise did not want to go this route. You now need to do two things in your app: a) bypass the default list of trusted CAs and then b) perform the trust validation yourself. Of course, if you only do a) and not b), your app will be unsecure.
3. The call to "filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted)" lets you perform 2. a) . To do 2. b), you can access the server SSL certificate using “Certificate serverCert = request.TransportInformation.ServerCertificate”. You then need to perform the validation of this certificate against the enterprise CA inside your own app. APIs for this are available under Windows.Security.Cryptography.Certificates (http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx)
Note: Since the server certificate is available only AFTER the request has been sent to the server, you need to ensure that the initial request does not contain any sensitive information.
Hope this helps to clarify my recommendation. In summary:
1. Try to get the enterprise to add their CA as a trusted CA using mobile device management.
2. If not, then use available Windows APIs to: a) bypass the default list of trusted CA’s and then b) perform the trust validation yourself.
Thanks again for your interest in Windows Phone app development.
[Windows Networking API Team]
Matt Cecile commented
Thanks for the reply, Sidharth. Looking at your code, it seems that you are suggesting that my app be modified to allow untrusted CAs. Is that correct?
This would not be acceptable to enterprise customers and my application would fail any security audit.
Or am I misunderstanding the effect of the code you posted?
Thanks for the investigation and feedback. My comment is incomplete - I only explained how to get over the roadblock of SSL certificate verification while testing with self-signed certs.
For apps intended for corporate environments, I agree that there is a need to access the server certificate and its properties. For this, you can use the TransportInformation property of the HttpRequestMessage class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.httprequestmessage.aspx). Here is a code snippet:
HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);//Allow untrusted CA's
HttpClient client = new HttpClient(filter);
HttpRequestMessage request = new HttpRequestMessage();
request.Method = HttpMethod.Get;
request.RequestUri = new Uri("https://www.contoso.com"); //Insert your https URI here
HttpResponseMessage responseMsg = await client.SendRequestAsync(request);
Certificate serverCert = request.TransportInformation.ServerCertificate;
//serverCert now contains the SSL server certificate.
Please let us know if this addresses the scenario you were targeting.
[Windows Networking API team]
Matt Cecile commented
I've been working on this problem over a course of several days and finally came across this blog: http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
"You can implement your own certificate authority using Microsoft Certificate Services but you’ll still need a certificate from one of the phone’s certificate authorities to chain your certificate authority to."
How is this ever going to be workable in a corporate environment? I have to tell my customers that in order to use SSL for my application, they have link every MCS CA back to a 3rd party root CA?
Even worse is the suggestion that we ignore certificate errors. That would really not go over in a corporate environment.
This restriction on MCS CAs needs to be removed to function like other mobile OSes or it will be impossible to implement a solution that will be accepted in enterprise environments.
sajjan mallik commented
I am a big lover of microsoft products. But this product is really frustrating. I don't know what is the security issue in allowing this in windows phone apps which allowed in other platforms and ofcourse most popular than this platform. Microsoft should re think of it in making these kind of restrictions before releasing into the market which is highly competitive.
Hi Templarian and Others,
Thanks for your feedback.
One way to use self-signed certs in modern apps is to use the WinRT HttpClient (Windows.Web.Http.HttpClient) and the associated HttpBaseProtocolFilter class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.filters.httpbaseprotocolfilter.aspx). In the HttpBaseProtocolFilter, you can set the property "IgnorableServerCertificateErrors" to ignore the untrusted CA error.
The WinRT HttpClient and HttpBaseProtocolFilter are designed very similar to the .NET HttpClient and HttpClientHandler, so it should be easy to move from one to the other. Meanwhile, the .NET Networking team is also investigating adding this support to the .NET HttpClient API.
[Windows Networking API team]
Tony Leung commented
Please let the client side to check the SSL certificate.
Mike Bishop [MSFT] commented
Thanks for the input, Jani! This is actually already possible using StreamSocket -- after doing await socket.UpgradeToSslAsync(), check socket.Information.ServerCertificate for the cert that was provided by the server. You can verify that it's the cert you were expecting before you send any data.
Andreas Summer commented
eventual with an property, SSL certificate public info?
This is simply pathetic that I could not attach a client certificate to WebRequest. How the certificate based authentication then work without for exchange servers and LDAP server would work. What big security threat do you see on doing this. I cannot have all certificate put in windows phone certificate store as I do not want to untidy users phone. iOS and Android works gret with this
Jani Lirkki commented
There is SSL/TLS socket support in Windows Phone 8. However, currently no WP8 platform component seems to support SSL certificate pinning.
When a SSL connection is created, there is no way to inspect the x.509 certificate chain returned by the remote server. I want to implement certificate pinning for additional security in my app and therefore I need an API to read the values of individual x.509 certificates.
I am not the only one who needs this: http://stackoverflow.com/questions/17741740/read-ssl-certificate-details-on-wp8
Please provide a way to do certificate pinning using platform components in WP8.
Jerry Huang commented
I can't believe there is no way to check certificate on client side. So I can't use SSL to protect data. Please give me a way to check certificate on client side.