.NET Web Service Client Supports SSL Certificate with IP Address in Subject Alternative Name

Well, with the help of Steffens showing me the Schannel and IP Address fields, and many other studies, I found the answer to this question.

.NET does not support IP addresses as alternative object names directly because it relies on Schannel to verify the IP address in the certificate.

Schannel only looks for the host name (IP) specified in the https request among the "DNS Name =" fields of the certificate. Therefore, if you can get a CA to provide you with a certificate with the IP addresses specified in the "DNS Name =" fields, this will probably work. However, my CA would not allow IP addresses to be placed in the "DNS Name =" fields and required them to be in the "IP Address =" fields, as this is now the industry standard.

So this means that Schannel will receive a certificate mismatch error if it cannot find the IP address in the certificate.

It then looks like the ServicePointManager.ServerCertificateValidationCallback property to invoke a method to ask the user to verify the certificate, which defaults to None for this property. Therefore, it rejects the connection directly.

Using C # as an example, you can create your own callback method and assign it to the ServicePointManager.ServerCertificateValidationCallback property. The method accepts the sending object, which is the WebRequest object used in the request, X509Certificate, which is the certificate, the X509Chain value, and the SslPolicyErrors value, which, if the IP address is used in the URL, will be a SslPolicyErrors.RemoteCertificationNameMismatch error.

private void init() { // Add a custom callback for server validation so that https to IP addresses will work. // See comments in InternalCallback method for more details ServicePointManager.ServerCertificateValidationCallback += this.InternalCallback; } private bool InternalCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { // The security package on Windows OS known as Schannel provides the authentication between // clients and servers. // If you are using https with an IP to a server with a cert that has IP addresses in the Subject Alternative Names, // Schannel fails to find those IPs among the "IP Address=" fields in the cert. // Schannel only looks at the DNS Name= fields. // consequently Schannel will pass SslPolicyErrors.RemoteCertificationNameMismatch error to the // ServicePointManager.ServerCertificateValidationCallback method which will cause the SSL connectino // to be rejected. // By default the ServicePointManager.ServerCertificateValidationCallback = None which I guess means // Schannel rejects the connection outright because of the mismatch error. // You can create a callback method like this one and assign it to the ServerCertificateValidationCallback // property so that you can do the validation yourself. // // The sender passed to this method is the WebRequest which contains the url used to hit the service. // The certificate is also passed to this method and you can use ToString(true) to get a verbose listing // of the cert that contains the Subject Alternative Names including the "IP Address=" fields. // This method will get the hostname of of the URL and if it is an IP address it will check to make // sure the cert contains the IP used and if so will return true (ignoring the sslPolicyErrors value. // If the hostname is not an IP then it will check that the hostname is found in the cert and that // the sslPolicyErrors contains the value of None before returning true. // This way we still do full validation of a hostname url and ignore validation errors when using an IP. Regex ipv4Validator = new Regex("((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|$)){4}"); WebRequest request = (WebRequest)sender; UriBuilder theuri = new UriBuilder(request.RequestUri); String thecert = certificate.ToString(true); bool containsIP = ipv4Validator.IsMatch(theuri.Host); if (sslPolicyErrors == SslPolicyErrors.None) logger.Info("Settings.InternalCallback() sslPolicyErrors = " + sslPolicyErrors.ToString()); else { logger.Info("Settings.InternalCallback() " + (containsIP ? "IP was used so ignoring " : "" ) + " sslPolicyErrors = " + sslPolicyErrors.ToString()); } logger.Debug("Settings.InternalCallback() requesturi = " + request.RequestUri); logger.Debug("Settings.InternalCallback() subject = " + certificate.Subject); logger.Debug("Settings.InternalCallback() request host = " + theuri.Host); logger.Debug("Settings.InternalCallback() certificate verbose = " + thecert); // possible sslPolicyErrors are: // None // RemoteCertificateChainErrors // RemoteCertificateNameMismatch // RemoteCertificateNotAvailable // If the request was sent to an IP then we will get a RemoteCertificateNameMismatch // error so ignore it and just check that the IP is found in the cert. if (containsIP) return thecert.Contains(theuri.Host); else return thecert.Contains(theuri.Host) && sslPolicyErrors == SslPolicyErrors.None; }