Why does service allow clients with wrong (but trusted) certificates?

Question

I set expected client certificate to "A":

        host.Credentials.ClientCertificate.SetCertificate("A", ...);
        host.Credentials.ServiceCertificate.SetCertificate("B", ...);

Binding:

new NetTcpBinding
                    {
                        Security =
                        {
                            Mode = SecurityMode.TransportWithMessageCredential,
                            Transport = { ProtectionLevel = ProtectionLevel.EncryptAndSign },
                            Message = { ClientCredentialType = MessageCredentialType.Certificate }
                        }
                    }

I expect the server to allow only clients with certificate "A". But instead it allows other trusted certificates too. I've changed client app.config to use "B" instead of "A" and it still works!

What's wrong in my setup?

As you can see in my answer, this method ist not for choosing the acceptable client-certificates. — Andreas K, May 06 '15 at 08:02

Andreas K · Accepted Answer · 2015-05-06T12:17:19.760

0

the

host.Credentials.ClientCertificate.SetCertificate("A", ...);

does not mean that only clients with certificate A are allowed to connect.

If you want to allow only some kinds of certificates, you need to inspect the CertificateValidator on the serverside.

take a look: https://msdn.microsoft.com/en-us/library/aa354512%28v=vs.110%29.aspx

if you have more questions feel free to ask me

EDIT:

public class CustomX509CertificateValidator : X509CertificateValidator
{
  public override void Validate ( X509Certificate2 certificate )
  {
   // Only accept self-issued certificates for example
   if (certificate.Subject != certificate.Issuer)
     throw new Exception("Certificate is not self-issued");
   }
}

And then:

serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();

edited May 06 '15 at 12:17

answered May 05 '15 at 11:08

Andreas K

222
1
11

I will read it but can you post any example on how can I use CertificateValidator to specify only exact client certificate that should be allowed? – Vlad May 06 '15 at 12:14
In my edit post, the validator on the host will only accept certificates where the issuer is the subject, so called self signed. – Andreas K May 06 '15 at 12:18
I can use certificate.Equals to check if it's the correct one, can't I? – Vlad May 06 '15 at 12:36
1

you can use certificate.equals to check if two certificates are the same – Andreas K May 06 '15 at 12:42

Why does service allow clients with wrong (but trusted) certificates?

1 Answers1