vb无法为SSL / TLS建立安全通道

Question

I am working on a project which I did not write, have inherited, and have an issue that I'm not sure quite how to solve. My background is not in .NET, so please excuse anything that doesn't sound right, as I may not know what the correct terminology should be.

We are using Visual Studio 2008 to compile a project that is running on Windows CE 6.0. We are using the Compact Framework v2.0. The software is running on an Embedded processor in a network (WIFI) connected industrial environment. The main UI is written in VB, and all of the supporting DLLs are written using C#.

Up until now we've only been required to connect to http (non-secure) web addresses for GET requests. We now have a requirement to switch these addresses over to https (secure) for security's sake.

The HttpWebRequest is built/submitted from VB. When I provide the code with the https address, I get the "Could not establish secure channel for SSL/TLS" error that is in the subject.

Here is the code for that request:

                            Dim myuri As System.Uri = New System.Uri(sUrl)
                            Dim myHttpwebresponse As HttpWebResponse = Nothing
                            Dim myhttpwebrequest As HttpWebRequest = CType(WebRequest.Create(myuri), HttpWebRequest)
                            myhttpwebrequest.KeepAlive = False
                            myhttpwebrequest.Proxy.Credentials = CredentialCache.DefaultCredentials
                            myhttpwebrequest.ContentType = "text/xml"
                            myhttpwebrequest.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
                            myhttpwebrequest.AllowAutoRedirect = False
                            myhttpwebrequest.Timeout = 150000
                            Dim mycred As NetworkCredential = New NetworkCredential(username, password)
                            Dim myCredentialCache As CredentialCache = New CredentialCache()
                            myCredentialCache.Add(myuri, "Basic", mycred)
                            myhttpwebrequest.Credentials = myCredentialCache
                            myhttpwebrequest.Method = "GET"
                            myhttpwebrequest.ProtocolVersion = HttpVersion.Version10
                            ServicePointManager.CertificatePolicy = New AcceptServerNameMismatch
                            myHttpwebresponse = CType(myhttpwebrequest.GetResponse(), HttpWebResponse)

I have done quite a bit of reading over the last day or so that indicate that the CertificatePolicy is where I can override the ICertificatePolicy classes to essentially validate all SSL requests. Definitely not safe, and not ideal, but I'm not sure of another way to handle these requests.

My class to do this is:

Public Class MyCertificatePolicy
        Implements ICertificatePolicy

    Public Shared DefaultValidate As Boolean = True
    Public Sub trustedCertificatePolicy()
    End Sub

    Public Function CheckValidationResult(ByVal srvPoint As ServicePoint, _
       ByVal cert As X509Certificate, ByVal request As WebRequest, ByVal problem As Integer) _
       As Boolean Implements ICertificatePolicy.CheckValidationResult
        Return True
    End Function
End Class

Unfortunately when the response comes back, it never calls CheckValidationResult(). Thus, no validation and the error.

So my questions...

• The "Right" way to do this according to everything that I've read is to use the ServerCertificateValidationCallback. Unfortunately with the version of Compact Framework that we are using (maybe all?) it is not included. Is there something that I'm missing that would cause that function not to get called?

• Again, from what I've read, I believe that the Framework that we're running on doesn't support TLS v1.1 or v1.2. Which most current servers are running. Is there a way in VB to get around this?

• Is there another Request method that can be used?

Any help or guidance as to where to go from here is greatly appreciated!

Answer 1

You need to install the trusted root certificate on the device(s), that matches the SSL certificate on your server.

Or change the certificate on the server to match one of the Trusted Roots on the device(s). By default, the devices ship with a very small number of trusted CAs, unlike desktop browsers that contain nearly every CA in the world.