All geek questions in one place

How to specify accepted certificates for client authentication in .NET SslStream

I am trying to use the .Net class System.Security.SslStream to process the server side of an SSL / TLS stream with client authentication.

To do a handshake, I use this code:

SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback); sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);

Unfortunately, this causes SslStream to send a CertificateRequest containing the subject names of all certificates in my trusted CryptoAPI root store.

I would like to be able to override this. I do not need to require the user to install or remove certificates from the Trusted Root Store.

It seems that SslStream uses the SSPI / SecureChannel at the bottom, so if someone knows how to make an equivalent with this API, this will be useful too.

Any ideas?

+3
source share
3 answers

It doesn't seem like this is currently possible using the .NET libraries.

I solved this using the Mono System.Security.SslStream class library implementation, which gives better access to overriding server behavior during a handshake.

+2
source

What certificate verification does is to verify all certificates in the chain. To do this, simply contact the root repository of each of these icons.

If this is not what you want, you can locally host your own root store.

+1
source

This is not part of the check I want to change. The problem is the initial handshake, the server sends a message informing the client that client authentication is required (i.e. the CertificateRequest message). As part of this message, the server sends the names of the certification authorities, which it will accept as issuers of the client certificate. This is a list that by default contains all trusted roots in the repository.

But if you can override the root certificate store for a single application, this will probably fix the problem. Is that what you mean? And if so, how do I do this?

0
source

Source: https://habr.com/ru/post/1401686/

More articles:


All Articles