Self Signed Certification SSL HTTPS
For those of us wanting to provide free applications it would be nice if the WP7 supported self signed certs or the very least a widely known free SSL authority.
Or at the very least add a free service to your accepted list of SSL authorities. Like cacert.org for instance.
In addition to the Mobile Device Management feature I mentioned below, there is another way to add a trusted CA to the trusted root CA list on the phone - please see this blog post: http://blogs.msdn.com/b/wsdevsol/archive/2014/06/05/including-self-signed-certificates-with-your-windows-runtime-based-windows-phone-8-1-apps.aspx
Once you add the enterprise CA to the trusted root CA list, your HTTPS requests should "just work" - you should not need to ignore any server errors or do the validation yourself.
[Windows Networking API team]
I am not suggesting that your app allow untrusted CAs - let me try to explain my recommendation part by part:
1. The OS has a list of root CAs that it trusts by default. In general, for self-signed cert scenarios, the enterprise CA will not be in this list. The recommended route to enable the self-signed cert scenario is for the enterprise to use the Mobile Device Management feature of Windows Phone and add the enterprise CA to the trusted CA list on the phone (See http://www.microsoft.com/en-us/download/details.aspx?id=42508)
2. Now, let’s assume the enterprise did not want to go this route. You now need to do two things in your app: a) bypass the default list of trusted CAs and then b) perform the trust validation yourself. Of course, if you only do a) and not b), your app will be unsecure.
3. The call to "filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted)" lets you perform 2. a) . To do 2. b), you can access the server SSL certificate using “Certificate serverCert = request.TransportInformation.ServerCertificate”. You then need to perform the validation of this certificate against the enterprise CA inside your own app. APIs for this are available under Windows.Security.Cryptography.Certificates (http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx)
Note: Since the server certificate is available only AFTER the request has been sent to the server, you need to ensure that the initial request does not contain any sensitive information.
Hope this helps to clarify my recommendation. In summary:
1. Try to get the enterprise to add their CA as a trusted CA using mobile device management.
2. If not, then use available Windows APIs to: a) bypass the default list of trusted CA’s and then b) perform the trust validation yourself.
Thanks again for your interest in Windows Phone app development.
[Windows Networking API Team]
Matt Cecile commented
Thanks for the reply, Sidharth. Looking at your code, it seems that you are suggesting that my app be modified to allow untrusted CAs. Is that correct?
This would not be acceptable to enterprise customers and my application would fail any security audit.
Or am I misunderstanding the effect of the code you posted?
Thanks for the investigation and feedback. My comment is incomplete - I only explained how to get over the roadblock of SSL certificate verification while testing with self-signed certs.
For apps intended for corporate environments, I agree that there is a need to access the server certificate and its properties. For this, you can use the TransportInformation property of the HttpRequestMessage class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.httprequestmessage.aspx). Here is a code snippet:
HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
filter.IgnorableServerCertificateErrors.Add(ChainValidationResult.Untrusted);//Allow untrusted CA's
HttpClient client = new HttpClient(filter);
HttpRequestMessage request = new HttpRequestMessage();
request.Method = HttpMethod.Get;
request.RequestUri = new Uri("https://www.contoso.com"); //Insert your https URI here
HttpResponseMessage responseMsg = await client.SendRequestAsync(request);
Certificate serverCert = request.TransportInformation.ServerCertificate;
//serverCert now contains the SSL server certificate.
Please let us know if this addresses the scenario you were targeting.
[Windows Networking API team]
Matt Cecile commented
I've been working on this problem over a course of several days and finally came across this blog: http://blogs.msdn.com/b/davidhardin/archive/2010/12/30/wp7-and-self-signed-ssl-certificates.aspx
"You can implement your own certificate authority using Microsoft Certificate Services but you’ll still need a certificate from one of the phone’s certificate authorities to chain your certificate authority to."
How is this ever going to be workable in a corporate environment? I have to tell my customers that in order to use SSL for my application, they have link every MCS CA back to a 3rd party root CA?
Even worse is the suggestion that we ignore certificate errors. That would really not go over in a corporate environment.
This restriction on MCS CAs needs to be removed to function like other mobile OSes or it will be impossible to implement a solution that will be accepted in enterprise environments.
sajjan mallik commented
I am a big lover of microsoft products. But this product is really frustrating. I don't know what is the security issue in allowing this in windows phone apps which allowed in other platforms and ofcourse most popular than this platform. Microsoft should re think of it in making these kind of restrictions before releasing into the market which is highly competitive.
Hi Templarian and Others,
Thanks for your feedback.
One way to use self-signed certs in modern apps is to use the WinRT HttpClient (Windows.Web.Http.HttpClient) and the associated HttpBaseProtocolFilter class (http://msdn.microsoft.com/en-us/library/windows/apps/windows.web.http.filters.httpbaseprotocolfilter.aspx). In the HttpBaseProtocolFilter, you can set the property "IgnorableServerCertificateErrors" to ignore the untrusted CA error.
The WinRT HttpClient and HttpBaseProtocolFilter are designed very similar to the .NET HttpClient and HttpClientHandler, so it should be easy to move from one to the other. Meanwhile, the .NET Networking team is also investigating adding this support to the .NET HttpClient API.
[Windows Networking API team]
Tony Leung commented
Please let the client side to check the SSL certificate.
Andreas Summer commented
eventual with an property, SSL certificate public info?
This is simply pathetic that I could not attach a client certificate to WebRequest. How the certificate based authentication then work without for exchange servers and LDAP server would work. What big security threat do you see on doing this. I cannot have all certificate put in windows phone certificate store as I do not want to untidy users phone. iOS and Android works gret with this
Jerry Huang commented
I can't believe there is no way to check certificate on client side. So I can't use SSL to protect data. Please give me a way to check certificate on client side.
Holger Kreissl commented
We are developing a security critical application for WP8 and we cannot believe that there is no way to check a certificate on the client side. So there is one way to protect the user for ssl hacking using SSL pinning or CN comparision.
Please a this functionality or a way that makes it possible building serious apps for wp8.
Hi, my problem same as M.Irfan, anyone can give some help ?
M. Irfan commented
Is there any update on it? Is there any alternative solution to use WCF server with self signed certificate in WP8 application? My service is giving error "Not found". Please help
Rui Marinho commented
This is still missing in windows phone 8, and it's even harder ... installing the certificate by hand doesn't work either.
Please add the ServicePointManager class.
For those that want easily, cheaply and securely protect their web APIs from being accessed by others, https+basic auth is the solution. Unfortunately without a class like ServicePointManager I can't use my own cert files to protect my own API.
Ulf Skoglund commented
Fully agreed. This is needed.
Andrew Byrne commented
Hi, for information about SSL Root Certificates for Windows Phone, check out http://msdn.microsoft.com/en-us/library/gg521150(v=VS.92).aspx
I have been able to test self-signed certs with a Windows Phone app, but I owned both ends of the pipe- the Windows Phone app and the Azure cloud service that was hosting the service to which I wanted to communicate. Installing the self-signed cert by sending it to yourself in hotmail was the way to go.
Chiranjit Mishra commented
I am trying to call HTTPS from windows phone 7.5 application.Though it is called successfully for HTTPS having certificate from trusted source like VeriSign,but it is returning an exception that remote server not found error for Self Signed Certificate.I have installed my self signed certficate in the device sending it by mail and called HTTPS like HTTP,but it didn't work.
So can anyone suggest how to call HTTPS having Self Signed Certificate?Whether it is possible or not for Self Signed Certificate?
Thomas Kistrup commented
This is a must have, need to ignore the “address does not match the address in the security certificate” I can’t change the server certificate to match the URL. My app is useless if I can’t control the certificate validation process.