Manually validating SSL certificates (no WWW involved)

Question

How can i manually verify an SSL certificate retrieved from a server w$$anonymous$$le communicating through HTTPS but with other means than the WWW class? On .Net 3.5 there's the X509Certificate2.Verify() method but taking a look inside the Mono sources t$$anonymous$$s method is marked with the following attribute:

 [MonoTODO("by default t$$anonymous$$s depends on the incomplete X509Chain")]

What is t$$anonymous$$s supposed to mean? Does it mean that certificate validation in Mono using t$$anonymous$$s method is ultimately unreliable? What good alternative can i use?

Answer 1

Answer by ArkaneX · Sep 20, 2013 at 11:25 AM

I don't know what you're trying to ac$$anonymous$$eve, but maybe you can do it with ServicePointManager.ServerCertificateValidationCallback. T$$anonymous$$s needs some additional investigation as well, because one of the callback delegate parameters is X509Chain, and basing on the MonoTODO you posted, there might be some problem related to t$$anonymous$$s class.

UPDATE: I took a look at the thread you provided, and I found an older thread by the developer as well. As I understand, UniWeb uses TcpClient, and if it's true, than for SSL communication it probably uses SslStream. When wrapping TcpClient stream into SslStream, it is possible to provide certificate validation callback - the same I mentioned above. If current implementation doesn't throw any error when connecting to a site with invalid certificate, then probably the callback always returns true.

Maybe you can ask author about t$$anonymous$$s directly, and if it works as I believe, then he should allow for injecting the callback or maybe make it virtual. Hard to say exactly without knowing implementation details though.

0 Show 8 · Share

GabrielS · Sep 20, 2013 at 12:13 PM 0

Share

Well, what i'm trying to achieve is a fundamental concern of HTTPS/SSL: validate the server's certificate so that you can be sure that the server is indeed who it claims to be. I suspect the WWW/WWWForm classes do this automatically, but due to some deficiencies they have i can't use them so i'll have to rely on something else for web requests, which may not have certificate validation built-in.

ArkaneX · Sep 20, 2013 at 01:11 PM 0

Share

In this case ServerCertificateValidationCallback should be a perfect solution, although in most cases it is used to do the opposite. It allows you to override standard validation procedure, by for example ignore the fact that certificate expired.

Out of curiosity - how are you trying to access the server? If you use WebRequest class, then it should fail automatically if the certificate is invalid.

ArkaneX · Sep 20, 2013 at 01:13 PM 0

Share

One more question - could you share why you can't use WWW/WWWForm classes?

GabrielS · Sep 20, 2013 at 01:17 PM 0

Share

I intend to use the UniWeb asset (HttpWebRequest doesn't even work on iOS), which is superior to WWW/WWWForm in terms of HTTP completeness (headers, content types, timeouts etc), but it does not provide built-in SSL certificate validation. Thanks for the suggestion, i'll try the ServerCertificateValidationCallback and see if it works.

ArkaneX · Sep 20, 2013 at 01:39 PM 0

Share

If this is a custom solution, then I don't know if my advice still apply... Please post some feedback after testing.

Show more comments

Manually validating SSL certificates (no WWW involved)

1 Reply

Your answer

Welcome to Unity Answers

Follow this Question

Related Questions