How to validate self-signed certification

Daniel Eugen picture Daniel Eugen · Sep 15, 2012 · Viewed 7.3k times · Source

i will provide you with my question clearly so you can answer me

I have a client-server (socket) connection that i secured using SslStream and as i know using ssl makes me sure that my client will only connect to my server

And to do that i must add a function to my client to validate the server certification and make sure that the server is the real one (my server)

but i really don't get how could i validate my self-signed certification and want your help

Regards, and my thanks in advance

Answer

Guido Simone picture Guido Simone · Sep 16, 2012

Imagine if the certificate were not self signed - it is signed by a trusted certificate authority. The reason it works is because your client device - windows, mac, linux, iphone, android device already has the certificates of all the well known certificate authorities. The operating system does the work for you when you make the connection. It ensures that the certificate sent to the client during the connection is signed by a well known certificate authority. The only reason this works though is because the client already has the certificates for all the well know certificate authorities.

If you choose to use a self-signed certificate - or a certificate signed by a self-signed certificate authority - you have to do the work, instead of the operating system. However - the task is basically the same - you need to verify that that the certificate sent to the client during the connection matches what is expected. And you will need to use the same strategy that signed certificates use - your client has to have the expected certificate (or certificate chain) pre-installed.

Some how, some way you need to ensure that your client already has the self signed certificate. Specifically all the public information in the certificate. The client will not have the private key - since that is ... private. Then you can add code to your app verify that the hash of the certificate sent during the connection matches the hash of the certificate that was pre-installed.

I noticed you have asked a similar question before and you may know all this already. Here is one additional point:

As long as you keep the private key of your self-signed certificate absolutely secure, there is no way anyone can fake your self signed certificate. It just cannot be done. If someone tries, they will have to generate a new private key which won't match yours - because they do not know your private key because you kept it secure.

Then everything breaks down. If they have a different private key, they will need a different public key. This means they will have a different certificate hash. And your app already knows the correct public key and hash (as described above), so when they try to come in with their bad public key and hash your app will reject the connection. This is part that you have to do in your application.

If they attempt to use your public key and hash but with a different private key, SSL will not allow them to make the connection.