1

I am working on a project which I did not write, have inherited, and have an issue that I'm not sure quite how to solve. My background is not in .NET, so please excuse anything that doesn't sound right, as I may not know what the correct terminology should be.

We are using Visual Studio 2008 to compile a project that is running on Windows CE 6.0. We are using the Compact Framework v2.0. The software is running on an Embedded processor in a network (WIFI) connected industrial environment. The main UI is written in VB, and all of the supporting DLLs are written using C#.

Up until now we've only been required to connect to http (non-secure) web addresses for GET requests. We now have a requirement to switch these addresses over to https (secure) for security's sake.

The HttpWebRequest is built/submitted from VB. When I provide the code with the https address, I get the "Could not establish secure channel for SSL/TLS" error that is in the subject.

Here is the code for that request:

                            Dim myuri As System.Uri = New System.Uri(sUrl)
                            Dim myHttpwebresponse As HttpWebResponse = Nothing
                            Dim myhttpwebrequest As HttpWebRequest = CType(WebRequest.Create(myuri), HttpWebRequest)
                            myhttpwebrequest.KeepAlive = False
                            myhttpwebrequest.Proxy.Credentials = CredentialCache.DefaultCredentials
                            myhttpwebrequest.ContentType = "text/xml"
                            myhttpwebrequest.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
                            myhttpwebrequest.AllowAutoRedirect = False
                            myhttpwebrequest.Timeout = 150000
                            Dim mycred As NetworkCredential = New NetworkCredential(username, password)
                            Dim myCredentialCache As CredentialCache = New CredentialCache()
                            myCredentialCache.Add(myuri, "Basic", mycred)
                            myhttpwebrequest.Credentials = myCredentialCache
                            myhttpwebrequest.Method = "GET"
                            myhttpwebrequest.ProtocolVersion = HttpVersion.Version10
                            ServicePointManager.CertificatePolicy = New AcceptServerNameMismatch
                            myHttpwebresponse = CType(myhttpwebrequest.GetResponse(), HttpWebResponse)

I have done quite a bit of reading over the last day or so that indicate that the CertificatePolicy is where I can override the ICertificatePolicy classes to essentially validate all SSL requests. Definitely not safe, and not ideal, but I'm not sure of another way to handle these requests.

My class to do this is:

Public Class MyCertificatePolicy
        Implements ICertificatePolicy

    Public Shared DefaultValidate As Boolean = True
    Public Sub trustedCertificatePolicy()
    End Sub

    Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _
       ByVal cert As X509Certificate, ByVal request As WebRequest, ByVal problem As Integer) _
       As Boolean Implements ICertificatePolicy.CheckValidationResult
        Return True
    End Function
End Class

Unfortunately when the response comes back, it never calls CheckValidationResult(). Thus, no validation and the error.

So my questions...

  • The "Right" way to do this according to everything that I've read is to use the ServerCertificateValidationCallback. Unfortunately with the version of Compact Framework that we are using (maybe all?) it is not included. Is there something that I'm missing that would cause that function not to get called?

  • Again, from what I've read, I believe that the Framework that we're running on doesn't support TLS v1.1 or v1.2. Which most current servers are running. Is there a way in VB to get around this?

  • Is there another Request method that can be used?

Any help or guidance as to where to go from here is greatly appreciated!

Opie
  • 31
  • 8
  • Sounds like the TLS version support is the issue. Looks like Windows CE 6.0 just went out of support 2 weeks ago... I don't want to dash your hopes, so maybe someone has a solution that will allow you to fix it. – Jacob H Apr 26 '18 at 19:40
  • I know that Support is out, and the writing is on the wall for CE all together. June of 2022 is the final final end... But we (I) still need to see if there is a way to accept https URLs with the setup that we have. And if I can't make it work using a legitimate SSL check, then I'm looking for a way to fake it out, like in my example. – Opie Apr 26 '18 at 19:46
  • See this Microsoft document about [TLS/SSL Settings](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12) and registry tweaks to enable/disable SSL/TLS protocols. I have really no idea if all this can apply to Windows CE, although I seriously doubt it. – Jimi Apr 26 '18 at 21:38
  • Your second point is correct: Windows CE 6.0 (which utilizes .NET CE 3.5) only supports up to TLS 1.0. There is a patch by Microsoft that apparently enables you to use TLS 1.2 in .NET 3.5 (don't know if it works for CE though), you can either try that (see more at: https://stackoverflow.com/q/43240611) or you can try to find a third-party .NET implementation of TLS 1.2. – Visual Vincent Apr 27 '18 at 07:55

1 Answers1

0

You need to install the trusted root certificate on the device(s), that matches the SSL certificate on your server.

Or change the certificate on the server to match one of the Trusted Roots on the device(s). By default, the devices ship with a very small number of trusted CAs, unlike desktop browsers that contain nearly every CA in the world.

Terry Carmen
  • 3,720
  • 1
  • 16
  • 32