.net – Could not establish trust relationship for the SSL/TLS secure channel with subject alternative name certificate

netSecurityssl

I'm getting a System.Net.WebException

The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel

The inner exception is System.Security.Authentication.AuthenticationException

The remote certificate is invalid according to the validation procedure

when using System.Net.WebClient.DownloadString(String address) against www.foo.com with a certificate for www.bar.com but with www.foo.com listed in the Subject Alternative Name field.

The certificate is issued by GoDaddy so Chrome and Internet Explorer consider the certificate valid when going to www.bar.com but also have no problems with the certificate when going to www.foo.com.

I think this should be a valid certificate for WebClient because the domain is listed in the Subject Alternative Name field, is this correct? Or does WebClient not use Subject Alternative Name field for SSL certificates issued to one site but used on another site?

Best Answer

... this should be a valid certificate for WebClient because the domain is listed in the Subject Alternative Name field, is this correct?

Yes, this is correct.

Additionally, there should be no DNS names in the CN. Placing a DNS name in the CN is deprecated by both the IETF/RFC 6125 and the CA/Browser Forums.

You should put a friendly name in the CN because it is presented to the user. You should put the DNS names in the SAN.

While the practice is deprecated, its not forbidden...

Or does WebClient not use Subject Alternative Name field for SSL certificates issued to one site but used on another site

The best I can tell, connecting to www.foo.com with CN=www.bar.com and SAN=www.foo.com is OK per RFC 6125, section 6.4.4; and its OK per CA/B's Baseline Requirements section 9.2.1 and 9.2.2.

So, a few guesses since we don't have the real server URL or the server's real certificate:

WebClient.DownloadString has a bug
The attribute has an unexpected coding (for example, IA5STRING rather than UTF8 string)
The Issuer's encoding differs from the Subject's encoding (for example, the signer's Subject's DN is IA5STRING, and end entity's Issuer DN is a UTF8 string)

For the guesses above, Chrome and Internet Explorer could be more tolerant than WebClient.DownloadString.

If (3) is the issue, then WebClient.DownloadString is actually correct. In the signing hierarchy below, the attribute encoding of the certificate's Issuer DN must be the same encoding as the signer's Subject DN. You can't mix and match them.

enter image description here

The graphic above was shamelessly ripped from Peter Gutmann's Engineering Security. Its freely available online, and it will teach you a lot of interesting security related things. He especially likes poking holes in PKI and offers two chapters on its real-world failures in practices.

Related Solutions

C# – Could not establish trust relationship for SSL/TLS secure channel — SOAP

The following snippets will fix the case where there is something wrong with the SSL certificate on the server you are calling. For example, it may be self-signed or the host name between the certificate and the server may not match.

This is dangerous if you are calling a server outside of your direct control, since you can no longer be as sure that you are talking to the server you think you're connected to. However, if you are dealing with internal servers and getting a "correct" certificate is not practical, use the following to tell the web service to ignore the certificate problems and bravely soldier on.

The first two use lambda expressions, the third uses regular code. The first accepts any certificate. The last two at least check that the host name in the certificate is the one you expect.
... hope you find it helpful

//Trust all certificates
System.Net.ServicePointManager.ServerCertificateValidationCallback =
    ((sender, certificate, chain, sslPolicyErrors) => true);

// trust sender
System.Net.ServicePointManager.ServerCertificateValidationCallback
                = ((sender, cert, chain, errors) => cert.Subject.Contains("YourServerName"));

// validate cert by calling a function
ServicePointManager.ServerCertificateValidationCallback += new RemoteCertificateValidationCallback(ValidateRemoteCertificate);

// callback used to validate the certificate in an SSL conversation
private static bool ValidateRemoteCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors)
{
    bool result = cert.Subject.Contains("YourServerName");
    return result;
}

C# Ignore certificate errors

Add a certificate validation handler. Returning true will allow ignoring the validation error:

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

Best Answer

Related Solutions

C# – Could not establish trust relationship for SSL/TLS secure channel — SOAP

C# Ignore certificate errors

Related Topic