tags:

views:

344

answers:

1
+1  Q: 

HTTPWebRequest Remote Certificate Name Mistmatch

I'm trying to make an SSL call using HTTPWebRequest and its continually failing saying it can't establish trust. I've added a callback to ServicePointManager.ServerCertificateValidationCallback and returning true always works. However, I'd like things to be a little more secure than that. Looking at the SslPolicyErrors in the validation method it appears that I'm getting a RemoteCertificateNameMismatch error. What isn't matching up correctly to cause this kind of error?

(edit: see comments in the answer) The site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com.

+1  A: 

General certificate issues:

  • certificate not issued by a trusted certificate provider (must be in your trust chain)
  • certificate expired

This specific error usually means that the certificate isn't issued for the site you are hitting. Examples:

  • difference between "www.yoursite.com" and "yoursite.com" (they are different; some big names get this wrong, which really annoys me...)
  • accessing as an IP address instead of the name on the cert; or v/v
  • a load balancer redirecting you to "server1,yoursite.com" but giving you the cert from "yoursite.com"
  • a load balancer silently passing you to "server1", which is issuing certificates for "server1", not the site
  • (edit see comments) a wildcard certificate issued for multiple levels - i.e. issued to *.somesite.org, when you are hitting foo.bar.somesite.org

Most of these are readily identifiable by navigating to the site and reading the warnings that your browser gives you, and inspecting the certificate that got issued.

Marc Gravell  2009-01-19 15:02:23
I don't know if this would make any difference, but the site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com. That seems right to me... so maybe it's that I need to import the cert?
Wes P  2009-01-19 15:10:20
You shouldn't need to import the certificate if it is issued by a trusted provider. Can a certificate be issued to *.somesite.tld? Interesting...
Marc Gravell  2009-01-19 15:13:51
I'm thinking the wildcard cert is the issue: from http://www.sslshopper.com/best-ssl-wildcard-certificate.html:
Marc Gravell  2009-01-19 15:15:33
However, in most web browsers (including Internet Explorer) SSL Wildcard Certificates won't work for multiple levels. This means that an SSL Certificate Wildcard for *.mydomain.com won't work on www.mail.mydomain.com or site1.sitea.mydomain.com [snip]
Marc Gravell  2009-01-19 15:16:05
Assuming that HttpWebRequest follows the same, then you'll need to try *.api.serviceprovider.com
Marc Gravell  2009-01-19 15:16:42
Oooh good catch! That definitely sounds like a problem area. Thanks Marc.
Wes P  2009-01-19 15:44:07

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?