Login/Register
How to validate self-signed certification
Asked Answered
Solved c#certificateclient-serversslstream
B

1

9

i will provide you with my question clearly so you can answer me

I have a client-server (socket) connection that i secured using SslStream and as i know using ssl makes me sure that my client will only connect to my server

And to do that i must add a function to my client to validate the server certification and make sure that the server is the real one (my server)

but i really don't get how could i validate my self-signed certification and want your help

Regards, and my thanks in advance

Babble answered 15/9, 2012 at 20:36 Comment(6)
This will help you: #527211Gaylenegayler
I think this StackOverflow question will help you: #527211Gaylenegayler
i am not looking to add an exception and connect anyway! because what made me implement SslStream is that i am worry about MITM attacks, so i can't simply ignore\or add an exception to connect anywayBabble
What i want is validating that this server is 100% my real server not any fake server or third party, Also how to make sure that certification.cer that i published with my client is not edited or replacedBabble
Ok. Now I understood your problem :-? I will research more for you...Gaylenegayler
sorry i don't understand what you mean ? i am still have the same problem, as i stated in my previous 2 commentsBabble
R
12

Imagine if the certificate were not self signed - it is signed by a trusted certificate authority. The reason it works is because your client device - windows, mac, linux, iphone, android device already has the certificates of all the well known certificate authorities. The operating system does the work for you when you make the connection. It ensures that the certificate sent to the client during the connection is signed by a well known certificate authority. The only reason this works though is because the client already has the certificates for all the well know certificate authorities.

If you choose to use a self-signed certificate - or a certificate signed by a self-signed certificate authority - you have to do the work, instead of the operating system. However - the task is basically the same - you need to verify that that the certificate sent to the client during the connection matches what is expected. And you will need to use the same strategy that signed certificates use - your client has to have the expected certificate (or certificate chain) pre-installed.

Some how, some way you need to ensure that your client already has the self signed certificate. Specifically all the public information in the certificate. The client will not have the private key - since that is ... private. Then you can add code to your app verify that the hash of the certificate sent during the connection matches the hash of the certificate that was pre-installed.

I noticed you have asked a similar question before and you may know all this already. Here is one additional point:

As long as you keep the private key of your self-signed certificate absolutely secure, there is no way anyone can fake your self signed certificate. It just cannot be done. If someone tries, they will have to generate a new private key which won't match yours - because they do not know your private key because you kept it secure.

Then everything breaks down. If they have a different private key, they will need a different public key. This means they will have a different certificate hash. And your app already knows the correct public key and hash (as described above), so when they try to come in with their bad public key and hash your app will reject the connection. This is part that you have to do in your application.

If they attempt to use your public key and hash but with a different private key, SSL will not allow them to make the connection.

Riplex answered 16/9, 2012 at 2:23 Comment(4)
So could you provide me with how could i get a cheap one, Is go daddy 12$ a year ssl certification a good one ?, also how could i generate CSR i am totally clueless of thatBabble
Sorry no. I'm still using self-signed certificates so I cannot help you there. I think these questions have been asked before on this site - search is your friend :)Riplex
Thanks for the write-up. This explains the Man In the Middle Attack that can be accomplished because of self signed certificates if you do not verify the certificate in code and why using a CA, you do not have to verify in code. Awesome, just what I was looking for! :)Inherit
Great answer, i have been searching for a code to do this but i could't find it, can you provide a C# code for this answer?Yippie

© 2022 - 2024 — McMap. All rights reserved.