I am developing a c# application, and using Pinvoke to call the method WinVerifyTrust.
the pinvoke declaration is as defined in Pinvoke.net.
The RevocationChecks is set to none.
When trying to check my program on iExplorer, at first it worked ok and returned status ok for the file, but suddenly it started failing with CERT_E_REVOCATION_FAILURE, and then after a while it was ok again.
What might cause this weird behavior? does it mean that I am doing something wrong?
By default WinVerifyTrust tries to download any associated Certificate Revocation List (CRL) to verify that the certificate has not been explicitly revoked. If your connection to the Internet is not stable and the download fails, the CERT_E_REVOCATION_FAILURE is returned.
If you have some version of the Windows SDK installed, you can temporarily turn of the CRL download with the setreg tool. Keep in mind though that this should only be used temporarily to verify that the issues you are seeing are indeed related to CRL connectivity.
setreg.exe 3 FALSE
Documentation for the tool is available at MSDN.
Related
I wanted to check the trust of the one of the .exe file in our project for which I am using C#.
I have referred - http://pinvoke.net/default.aspx/wintrust/WinVerifyTrust.html
Here is my code snippet.
WinTrustData wtd = new WinTrustData(filename);
Guid guidAction = new Guid(WINTRUST_ACTION_GENERIC_VERIFY_V2);
WinVerifyTrustResult result = WinVerifyTrust(INVALID_HANDLE_VALUE, guidAction, wtd);
bool valid = (result == WinVerifyTrustResult.Success);
filename - is nothing but .exe file path.
WinVerifyTrust() mentioned in above code returns "WinVerifyTrustResult.Success" only if machine is connected to internet at least once.
However on fresh machine it returns "0x800b0100" i.e.- "Trust_e_nosignature".
Is it expected behavior? If yes then how to resolve it?
I searched for this specific behavior but did not found any satisfactory answer.
Windows (7+) is shipped with a very limited set of root certificates.
Those are downloaded on demand. This could be the reason why the authenticode signature could not be verified if a computer was never connected to the internet before (but still, I suppose that just connecting to the internet is not sufficient, but some surfing to https pages or verifying the authenticode signature is necessary so that the "right" root certificate is downloaded).
You can verify this by checking/counting the ca certificates which are installed in the internet explorer before and after connecting to the internet.
I am downloading files from a client's SFTP.
When I do it from Filezilla it always succeeds in the standard way.
On the other side, when I do it from our app, that uses Tamir SharpSSH library for SFTP communication, periods constantly emerge when our all download attempts for a file fail.
I know the app works as that code has not been changes for several months and it worked much more often then it did not, but the periods keep reemerging when for the whole day or more all file downloads fail only for the app.
The exception I get is Tamir.SharpSsh.jsch.SftpException . Obviously not very helpful.
My guess is the client is doing modifications on their side, or changing permissions, as their side is not live yet, but with the exception message I do not know.
Does anybody has some suggestion? Where could I look for the solution? What should I test/try?
Thank you for the time!
The real message was 'No such file'. The reason was, a slash has been omitted for the root folder path, in one of our config files.
When you open the exception variable in VS Watch you will see all info properties from standard exception are null or simply set to 'Tamir.SharpSsh.jsch.SftpException'.
But, an additional property was apparently added to Tamir.SharpSsh.jsch.SftpException class - "message" and that is where the real message is stored, while Exception.Message is pretty often set to just "Tamir.SharpSsh.jsch.SftpException" .
The issue is the additional property is private and is only visible by VS Watch or similar.
Since our exception propagation mechanism is based on logging Exception.Message I was most of the time getting "Tamir.SharpSsh.jsch.SftpException"
I have created a server using HttpListener. It works perfect without SSL, but with SSL something strange happens.
I have installed the certificate using httpcfg and even with my own program, it installs correctly, the listener starts and serves HTTPS requests, but always asks for a client certificate.
It does not happens on Windows/.net, only with Linux/mono (I'm using ver 3.4.0) and is very annoying, I don't want the user to be asked each time he tries to log in for a client certificate.
Is this a mono bug or is there any way to disable the client certificate negotiation?
Thanks.
I'm having the same problem. What I've discovered is that this is hardcoded in Mono. In mcs/class/System/System.Net/HttpConnection.cs, when the constructor of SslServerStream is called, you will notice that the requestClientCertificate is hardcoded to true.
I came across this PR that attempts to change this hardcoded value to false, however it's currently semi-rejected due to "I rather not change one hardcoded value for another hardcoded value."
[Update] And I just now realized you (OP) are the author of the PR :)
[Update 9/21/2016] It looks like this question is still getting hits. If it is helpful to anyone, we went with nginx as a reverse proxy a long time ago when we could not resolve this issue. I'm glad we did, and should have done it sooner. It is much faster than Mono for handling the SSL/TLS, and allows us to more carefully control the crypto suites and keep up to date with security patches.
I'm keeping an eye on Mono 4.6, which has yet to release. With their overhaul of TLS and the ability to plug in alternate implementations at runtime this might give us a path forward without using nginx reverse proxy.
The only options one (still..) has are:
Use Gusman's pull request #1 or #2 (depending on your Mono version) as workaround which should be OK for productive environments, if a recent Mono version's source code is used.
Example for Mono v4.2.3.4:
echo -e -n "83c83\n< \t\t\t\tSslServerStream ssl_stream = new SslServerStream (new NetworkStream (sock, false), cert, false, true, false);\n---\n> \t\t\t\tSslServerStream ssl_stream = new SslServerStream (new NetworkStream (sock, false), cert, false, false, false);\n" > nocerts.diff
tar xvjf mono-4.2.3.4.tar.bz2
cd mono-4.2.3.4
patch ./mcs/class/System/System.Net/HttpConnection.cs ../nocerts.diff
./configure --prefix=/usr
make
make install
Or use the last Mono version that works without client certificates (which is v3.10.0).
In order to follow this tutorial (http://msdn.microsoft.com/en-us/library/gg695790.aspx) I need to generate some early bound types. I cannot get the tool to work.
I've downloaded the latest CRM 2013 SDK
I've got a CRM2013 online trial account.
the URL I use is the one I got from the CRM2013->Settings->Customizations->Developer recources->organisation service.
the credential i use the default user (admin) from the CRM2013 online trial.
lets say it's John360
So the URL for CRM is like https://john360.crm4.dynamics.com/
user: john#john360.onmicrosoft.com
pwd: pass
organisationService: https://john360.api.crm4.dynamics.com/XRMServices/2011/Organization.svc
when I try the command like:
CrmSvcUtil.exe /codeCustomization:"Microsoft.Xrm.Client.CodeGeneration.CodeCustomization, Microsoft.Xrm.Client.CodeGeneration" /out:Xrm\Xrm.cs /url:https://john360.api.crm4.dynamics.com/XRMServices/2011/Organization.svc /username:john /domain:john360.onmicrosoft.com /password:pass /namespace:Xrm /serviceContextName:XrmServiceContext
i get
value cannot be null. Parameter name: identityProvider
I also tried some Obvious other with or without quotes, with the 'domain' appended to the username, nothing works. I added the program to the firewall.
I also tried this tool https://xrmearlyboundgenerator.codeplex.com/
It also has problems connecting to the server. I tried with the latest version and with these connection settings: use CRM online and selected the crm4.dynamics.com
Login: john#john360.onmicrosoft.com, password: pass.
If I select 'Get Orgs.' I get the error
'an unsecured or incorrectly secured fault was received from the other party'
I've now also tried this route: http://code.msdn.microsoft.com/SdkSoapjs-Entity-Class-14ca830f
The program gives the same error as the other generator.
edit:
I actually got a bit further... with this command:
CrmSvcUtil.exe /codeCustomization:"Microsoft.Xrm.Client.CodeGeneration.CodeCustomization, Microsoft.Xrm.Client.CodeGeneration" /out:Xrm.cs /url:"https://john360.api.crm4.dynamics.com/XRMServices/2011/Organization.svc" /username:"john#john360.onmicrosoft.com" /password:"pass" /namespace:Xrm /serviceContextName:XrmServiceContext /serviceContextPrefix:
it resultet in error:
Metadata contains a reference that cannot be resolved.
I didn't do any customization changes to my trail, so I'm not sure what this is about. Any suggestions are welcome.
Using the XrmToolBox as a method of connecting to CRM, I've created a GUI front end wrapper over the CrmSvcUtil.exe. It adds a lot of additional features, but most importantly for you, it creates the commandline required to generate the entities for you. Download it from the plugin store within the Xrm Tool Box, and never have this problem again!
I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office.
I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on.
In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when NHibernate tried to load the System.Data.SqlServerCE.dll assembly.
If I tried the action again immediately it would work with no delay but if I left it for 5 minutes then it would be slow to load again the next time I tried it.
From my research so far it appears to be because the SqlServerCE dll is signed and so the system is trying to connect to get the certificate revocation lists and timing out.
Disabling the "Automatically detect settings" setting in the Internet Options LAN settings makes the problem go away, as does disabling the "Check for publishers certificate revocation".
But the admins where this application will be deployed are not going to be happy with the idea of disabling certificate checking on a per machine or per user basis so I really need to get the application level disabling of the CRL check working.
There is the well documented bug in .net 2.0 which describes this behaviour, and offers a possible fix with a config file element.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>
This is NOT working for me however even though I am using .net 3.5.
The SQLServerCE dll is being loaded dynamically by NHibernate and I wonder if the fact that it's dynamic could somehow be why the setting isn't working, but I don't know how I could check that.
Can anyone offer suggestions as to why the config setting might not work?
Or is there another way I could disable the check at the application level, perhaps a CAS policy setting that I can use to set an exception for the application when it's installed?
Or is there something I can change in the application to up the trust level or something like that?
You can specify in code if you want to check the revocation list per application:
ServicePointManager.CheckCertificateRevocationList = false;
In this blog posting (which cites another source) you have two options: disable CRL checking system wide or per app:
Disable CRL Checking Machine-Wide Control Panel -> Internet Options ->
Advanced -> Under security, uncheck the Check for publisher's
certificate revocation option
Disable CRL Checking For a Specific .Net Application See this
Microsoft KB Article: http://support.microsoft.com/kb/936707
What solved the problem for me:
I (think I) had a problem with online revocation before, so I explicitly switched to offline. Due to to warning, I now had to change...
_ = builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(
options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.Offline;
}
);
... to ...
_ = builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(
options =>
{
options.AllowedCertificateTypes = CertificateTypes.All;
options.RevocationMode = X509RevocationMode.NoCheck;
}
);