3

Just as this person, I've been struggling a bit with browsers caching SSL sessions. In short, if a client certificate is selected, there is no way to clear the state programmatically, except in IE using document.execCommand("ClearAuthenticationCache").

One of the answers mentions that making a request to "a URL on the same hostname that requires a client certificate but rejects all certificates" it would force the browser to clear the SSL session. How can I set up such an endpoint in IIS? Because I presume I need more than just a simple endpoint returning http status 403 or similar.

filur
  • 2,116
  • 6
  • 24
  • 47
  • "Because I presume I need more than just a simple endpoint returning http status 403 or similar." - nope, just add a `` to your `web.config` with a hardcoded error response rule set-up. No need for any application code at all. Another option is to define the rule in your `` element instead. – Dai Sep 04 '21 at 17:33
  • @Dai I've tried just making a request to an endpoint returning `403` on the same domain, but it doesn't seem to clear any certificates, which kinda makes sense. As discussed in the comments, I think there's more that needs to be done than that. I just don't know how to configure the IIS for that – filur Sep 04 '21 at 18:02
  • 1
    HTTP 403 wouldn’t invalidate client auth state, I think you want HTTP 401 instead. – Dai Sep 04 '21 at 22:23
  • 1
    This article is good, and up-to-date: https://textslashplain.com/2020/05/04/client-certificate-authentication/ – Dai Sep 04 '21 at 22:24

2 Answers2

1

The SSL negotiation happens before the endpoint request is sent, so there is no way of "rejecting a certificate" based on the endpoint (you can perhaps force renegotiation, but I'm not sure IIS supports it).

But you can maybe set up the same hostname and a different port and disable client certificates there. Since the hostname matches (being the same...), I'd expect the browser to try them, and fail.

LSerni
  • 55,617
  • 10
  • 65
  • 107
0

Short Answer: delete sslcert [ipport=]IP Address:port ref

If you want to script/automate it in code, you could do it in C# in two steps below, you would need to adapt the code to suit your needs

1. Get your certs

using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
     store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

     // Get /Display a list of all the certificates
     foreach (var x in store.Certificates)
     {
         // *** TODO

         // add it to a drop down
         // SomeDropDownListControl_IISCert.Items.Add(new SomeDropDownListControl_IISCert(x.FriendlyName, x.SerialNumber));

         //or delete it, see Below
        
     }
}

2. Build the command and pass the cert and delete it with the Shell Command

    StringBuilder str = new StringBuilder();
    ProcessStartInfo psi = new ProcessStartInfo() {CreateNoWindow = true, UseShellExecute = false, RedirectStandardOutput = true};
    psi.FileName = "netsh";

    psi.Arguments = $"http show sslcert ipport=0.0.0.0:{port}";
    Process procShow = Process.Start(psi);
    while (procShow != null && !procShow.StandardOutput.EndOfStream)
    {
        str.Append(procShow.StandardOutput.ReadLine());
    }
    Log.Warn(str.ToString);

    // delete IPV4.
    psi.Arguments = $"http delete sslcert ipport=0.0.0.0:{port}";
    Process procDel = Process.Start(psi);
    //exitCode = procDel.ExitCode;
Transformer
  • 6,963
  • 2
  • 26
  • 52