views:

76

answers:

2

Experimented sending secure emails using C# and was wondering if I have understood things correctly. I currently have the following program:

using System;
using System.Net.Mail;
using System.Net;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Net.Security;

namespace Geekality.SecureEmail
{
    class Program
    {
        static bool OurCertificateValidation(object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            var actualCertificate = X509Certificate.CreateFromCertFile("example.com.cert");

            return certificate.Equals(actualCertificate);
        }

        static void Main(string[] args)
        {
            // Register our own certificate validation
            ServicePointManager.ServerCertificateValidationCallback = OurCertificateValidation;

            // Message
            var from = new MailAddress("[email protected]", "Me");
            var to = new MailAddress("[email protected]", "Myself");

            var message = new MailMessage(from, to)
            {
                Subject = "Greetings!",
                Body = "How are you doing today?",
            };

            // Create client
            var client = new SmtpClient("smtp.example.com")
            {
                EnableSsl = true,
                Credentials = new NetworkCredential
                {
                    UserName = "[email protected]",
                    Password = "password",
                },
            };

            // Try to send
            using (client)
            {
                try
                {
                    client.Send(message);
                    Console.WriteLine("Message sent!");
                }
                catch (AuthenticationException e)
                {
                    Console.WriteLine("Authentication failed:");
                    Console.WriteLine(e.Message);
                }
                catch (SmtpException e)
                {
                    Console.WriteLine("SMTP error:");
                    Console.WriteLine(e.Message);
                }
            }

            Console.ReadKey(true);
        }
    }
}

The data has of course been changed to example values though. Anyways, this seems to work nicely from what I can see. Any comments on what I have done? Especially on the matter of how I do the certificate validation. Is it a good way of doing it? Or have I missed something so bad here that I might as well send the email not using SSL?

The reason for me doing the validation myself is that the default validation failed because it is a self-issued certificate and the mail domain I'm using is not the same as is in the certificate used. I'm using mail.mydomain.com while the domain in the certificate is something like mywebhost.com. So what I did was to get the certificate file from Opera using it's mail client and store it so I can compare it to the one I get when trying to send the email. Is this a secure and good way to do this validation? I also know the hash of the actual certificate and tried to use that to compare with the one I get when sending the email. This also works and was sort of easier to do, although in lines of code it's pretty much the same. Just comparing with a string instead of a file. Is any of these ways better than the other?

A: 

Just a side question to your code - Why do you pass the parameters object s, X509Chain chain and SslPolicyErrors sslPolicyErrors into your OurCertificateValidation method? They aren't getting referenced.

Alex
@Alex: Because they are part of the delegate signature?
Svish
A: 

You aren't checking certificate validity period and aren't checking if it has not been revoked by the server. In general, proper certificate validation is very non-trivial thing.

Validity period check is trivial - just check ValidFrom and ValidTo properties of the certificate. Moment of validation must fit in between. As for revocation checking, -- if you have a self-signed certificate anyway, there's a little chance that server maintainers will bother managing CRLs or install OCSP server for online validation. So you can skip this step in your particular case.

Finally, what if the server changes the certificate to another legitimate one? You will need to change your code (or file with certificate), won't you?

Eugene Mayevski 'EldoS Corp
Thanks! Validity period check is a good point. Should add that. How would you check if the certificate has been revoked? If the server changes the certificate I would in my case need to change the file certificate yes, but isn't that sort of how all email clients work? A popup tells you something is wrong with the certificate and asks you if you want to accept that certificate from now on, or something like that.
Svish
I implemented certificate validator component for our SecureBlackbox product, and we have OCSP client and CRL component there, so it was not hard. BTW we have SMTP client component that does all the checks in a handy way, but for your simple task it can be an overkill.
Eugene Mayevski 'EldoS Corp