by Mentalis.org Team [pieter at mentalis dot org] posted on 2003/08/09 |
|
We often get emailed by users of the Security Library about an exception that the SecureSocket class throws right after it is connected to a remote host. The cause of this exception is usually a problem with the verification of the server certificate.
Many users set the CredentialVerification of the SecureSocket to Auto. This means that the SecureSocket will automatically verify the peer certificate and it will close the connection and throw an exception if the certificate verification is unsuccessful. This is where the exception that many users are seeing originates from.
Certificate validation can fail because of several reasons, but here are the two most common causes:
- UntrustedRoot: the root certificate that signed the server certificate is not trusted on this computer.
- NoCNMatch: the canonical name does not match the name on the certificate.
We recommend using the Manual CredentialVerification type in your applications. This requires somewhat more code, but it allows you to differentiate between different cases of certificate validation failures.
CredentialVerification.Auto can be used if you’re sure that the server will always send a valid certificate [common name is correct, the root CA of the certificate is trusted and the certificate is not expired]. |