Search code examples
c#certificatehttpwebrequesttls1.2

Weak signature algorithm is warned by browser but not via C#?

We use a third party service which - when accessed via a browser - it yields this error :

enter image description here

OK - we should call them and probably tell them to fix this at their side.
But -

Question:

Looking at this simple C# code - Why don't I see any exception about this warning , or in other words - How can I make C# to reflect this warning or unsafe access ?

NB I already know that I can use a more advanced webrequest class using other class - But it doesn't matter for this question. (imho).

void Main()
{
    Console.WriteLine(CreatePost("https://------", "dummy")); // No exception/warning here
}
private string CreatePost(string uri, string data)
{
    HttpWebRequest request = (HttpWebRequest)
    WebRequest.Create(uri); request.KeepAlive = false;
    request.ProtocolVersion = HttpVersion.Version10;
    request.Method = "POST";

    byte[] postBytes = Encoding.GetEncoding("UTF-8").GetBytes(data);

    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = postBytes.Length;
    Stream requestStream = request.GetRequestStream();
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
    // now send it
    requestStream.Write(postBytes, 0, postBytes.Length);
    requestStream.Close();


    HttpWebResponse response = (HttpWebResponse)request.GetResponse();
    return new StreamReader(response.GetResponseStream(), Encoding.GetEncoding("UTF-8")).ReadToEnd();
}

Also - I know that browser url address is using GET (unlike the C# post verb) - but I don't think that they've redirected this action to a silenced warning)

Solution

  • You don't see any warning when accessing it via C# because Google Chrome is checking how the SSL is set up and putting the warning in the way to try and protect you (and users of said service). When you access it from C#, it never touches Chrome and so you don't get the warning.

    You'll get a similar warning in a few other browsers, but it's not part of the response to the request you're making - just the browser trying to keep you safe.

    You could manually check the signature algorithm in your code, and throw an exception if it's not what you deem "secure".

    Edit: you can check the signature algorithm by adding a custom validation callback to ServicePointManager, something like this:

    ServicePointManager.ServerCertificateValidationCallback = 
    new RemoteCertificateValidationCallback(
        (sender, certificate, chain, errors) => {

            var insecureAlgorithms = new List<String> { "SHA1" };
            var sslCertificate = (X509Certificate2) certificate;
            var signingAlgorithm = sslCertificate.SignatureAlgorithm;

            if (insecureAlgorithms.Contains(signingAlgorithm.FriendlyName))
            {
                return false;
            }

            // do some other checks here...
            return true;

        }
    );