Catching IIS-level certificate errors in C# code

Question

I'm making a SOAP handler that will be secured with X509 Certificates, and one of the requirements is that the program log as much as possible in an existing log viewer. Obviously, there are a lot of errors surrounding certificates that are handled at the IIS level, which in this case is not acceptable.

I already have the logging part solved in C# code. That part is easy. The harder part is getting the IIS-level errors to go into the code instead of being returned to the client as unhelpful web errors. I looked at this thread, but our project lacks an App_Code folder due to the nature of what's going on, so it's not terribly applicable.

Any suggestions?

Answer 1

Presuming you are running on IIS7 or better, the general answer would apply to you as well -- you can use a custom HttpModule to trap IIS-level errors for your app. Just, rather than putting the module in App_Code, build it with your app and change the wire-up to look there.

Answer 2

With IIS6, I think that you need an ISAPI filter (C++ only), in order to have a look at the request before it is considered invalid (e.g. because of certificate errors).

If I am not mistaken, SSL in IIS is also implemented by an ISAPI filter, so I doubt that it has hooks to better handle / log certificate errors.

My company had an issue with certificates in a project and we asked Microsoft Support Services for tools / logs that would help in the diagnosis. There was no satisfying answer regarding the capability to get more info about the error.

I guess re-implementing the SSL handshake is too much work for your project, so the only way to get more info is to buy such an SSL implementation, assuming one exists for IIS6 and gives you the info you need.