3

I try to upload a file to my domain https://vault.veodin.com/ which is hosted at webfaction.com

When you open this url, the browser warns you about the name mismatch, because the SSL certificate is issued for webfaction.com and not for veodin.com

Accordingly a sslPolicyError System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch occurs when I try to upload a file to this domain using .Net WebClient.

For my purpose it's enough to be sure that the upload target is hosted at *.webfaction.com.

Is it safe to trust the certificate.subject for that?

Background:

Update: I've used a custom CertificateValidationCallback to verify the certificate subject and the certificate issuer to be exactly what I expect.

ServicePointManager.ServerCertificateValidationCallback = 
   MyCertificatePolicy.CertificateValidationCallBack;

...

 public class MyCertificatePolicy
    {
        public static bool CertificateValidationCallBack(
         object sender,
         System.Security.Cryptography.X509Certificates.X509Certificate certificate,
         System.Security.Cryptography.X509Certificates.X509Chain chain,
         System.Net.Security.SslPolicyErrors sslPolicyErrors)
        {
            // If the certificate is a valid, signed certificate, return true.
            if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
            {
                return true;
            }

            //if there is a RemoteCertificateNameMismatch, but the Name is webfaction.com
            //then we can trust the certificate despite the name error
            else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch
            && certificate.Subject == "CN=*.webfaction.com, OU=WebFaction, O=Swarma Limited, L=London, S=England, C=GB"
            && certificate.Issuer == "CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US")
            {
                return true;
            }
            else
            {
                // In all other cases, return false.
                return false;
            }
        }
    }
Cilvic
  • 3,417
  • 2
  • 33
  • 57
  • 1
    Anyone can generate a certificate with any common name that they want. You should be checking who is the issuer of the certificate (chain) as well. – vcsjones Sep 15 '11 at 19:42
  • @vcjones, thanks I've updated the code to include the issuer. – Cilvic Sep 16 '11 at 06:41
  • Now you are only checking if anyone has created an issuer certificate with your stated name and issued (possibly himself) a certificate for webfaction.com. you should check the actual Issuer Certificate against the certificate store or hard-code the issuer certificate hash (but this means you have to update your code when the issuer certificate changes) – eFloh Sep 16 '11 at 06:56
  • @eFloh thx for the scenario, I was thinking that this would trigger a [RemoteCertificateChainErrors](http://msdn.microsoft.com/de-de/library/ms145055(v=vs.80).aspx) – Cilvic Sep 16 '11 at 14:29
  • @Cilvic: Oh, I may have overlooked. Without having checked, this seems to make sense. In case an attacker had placed a custom root certificated in the trusted store, this would enable my scenario again, but in this case, you are in bigger trouble on that machine, I think. – eFloh Sep 19 '11 at 15:28

0 Answers0