Re: WCF SSL Validation

[Rodney Thayer <rodney () tsc-labs net>]

Dave Aitel wrote:
> So I'm doing an application assessment of a .Net 3.0 app ...

> Also the WCF .Net API does not treat 
> certificates the same way that IE7 does. You can have a certificate 
> imported into IE and then browse nicely through SPIKE Proxy but still 
> have WCF requests fail with SSL validation errors. This is a pain but 
> there's no way to bypass it that I can figure out.

I thought they were both bolted into the Crypto API certificate store.
Of course, they probably have asymmetric certificate validation callback
processing.  Have you tried CRL's or OCSP?  Hell, if it's really doing
certificate processing, a modern CAPI would probably have hooks
to do extended key usage (baroque exotic certificate option) processing
and that too could be asymmetric.

It's nice to see that certificate processing crosses your radar.  It
deserves your level of attention.

> Today the plan is to bypass the need for SSL MITM by using Immunity 
> Debugger to hook the http request API and modify it on the fly the way 
> JMS usually does.

Very cool.  I hate it when people treat SSL as a cryptographic codpiece
rather than defending the underlying technology.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave