views:

344

answers:

1

I'm trying to make an SSL call using HTTPWebRequest and its continually failing saying it can't establish trust. I've added a callback to ServicePointManager.ServerCertificateValidationCallback and returning true always works. However, I'd like things to be a little more secure than that. Looking at the SslPolicyErrors in the validation method it appears that I'm getting a RemoteCertificateNameMismatch error. What isn't matching up correctly to cause this kind of error?

(edit: see comments in the answer) The site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com.

+1  A: 

General certificate issues:

  • certificate not issued by a trusted certificate provider (must be in your trust chain)
  • certificate expired

This specific error usually means that the certificate isn't issued for the site you are hitting. Examples:

  • difference between "www.yoursite.com" and "yoursite.com" (they are different; some big names get this wrong, which really annoys me...)
  • accessing as an IP address instead of the name on the cert; or v/v
  • a load balancer redirecting you to "server1,yoursite.com" but giving you the cert from "yoursite.com"
  • a load balancer silently passing you to "server1", which is issuing certificates for "server1", not the site
  • (edit see comments) a wildcard certificate issued for multiple levels - i.e. issued to *.somesite.org, when you are hitting foo.bar.somesite.org

Most of these are readily identifiable by navigating to the site and reading the warnings that your browser gives you, and inspecting the certificate that got issued.

Marc Gravell
I don't know if this would make any difference, but the site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com. That seems right to me... so maybe it's that I need to import the cert?
Wes P
You shouldn't need to import the certificate if it is issued by a trusted provider. Can a certificate be issued to *.somesite.tld? Interesting...
Marc Gravell
I'm thinking the wildcard cert is the issue: from http://www.sslshopper.com/best-ssl-wildcard-certificate.html:
Marc Gravell
However, in most web browsers (including Internet Explorer) SSL Wildcard Certificates won't work for multiple levels. This means that an SSL Certificate Wildcard for *.mydomain.com won't work on www.mail.mydomain.com or site1.sitea.mydomain.com [snip]
Marc Gravell
Assuming that HttpWebRequest follows the same, then you'll need to try *.api.serviceprovider.com
Marc Gravell
Oooh good catch! That definitely sounds like a problem area. Thanks Marc.
Wes P