Dailydave mailing list archives
Re: WCF SSL Validation
From: Rodney Thayer <rodney () tsc-labs net>
Date: Wed, 05 Mar 2008 07:45:29 -0800
Dave Aitel wrote:
So I'm doing an application assessment of a .Net 3.0 app ...
Also the WCF .Net API does not treat certificates the same way that IE7 does. You can have a certificate imported into IE and then browse nicely through SPIKE Proxy but still have WCF requests fail with SSL validation errors. This is a pain but there's no way to bypass it that I can figure out.
I thought they were both bolted into the Crypto API certificate store. Of course, they probably have asymmetric certificate validation callback processing. Have you tried CRL's or OCSP? Hell, if it's really doing certificate processing, a modern CAPI would probably have hooks to do extended key usage (baroque exotic certificate option) processing and that too could be asymmetric. It's nice to see that certificate processing crosses your radar. It deserves your level of attention.
Today the plan is to bypass the need for SSL MITM by using Immunity Debugger to hook the http request API and modify it on the fly the way JMS usually does.
Very cool. I hate it when people treat SSL as a cryptographic codpiece rather than defending the underlying technology. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- WCF SSL Validation Dave Aitel (Mar 05)
- Re: WCF SSL Validation Rodney Thayer (Mar 05)