Ignore SslPolicyErrors when doing SSL encryption?

Question

Ignore SslPolicyErrors when doing SSL encryption?

I am using SSL binding as a security requirement for a project and the HTTPS endpoint is giving me SslPolicyErrors. The following errors occur:

RemoteCertificateChainErrors
    RevocationStatusUnknown
    UntrustedRoot

If I ignore these issues and just check to see if the public key matches certificate.GetPublicKeyString ()

, will it be secure or can hackers spoof our certificate because we are not validating the chain?

Here is the code that checks the SslPolicyErrors that I am looking at when deleting.

if (sslPolicyErrors != SslPolicyErrors.None) {
    Debug.Log(sslPolicyErrors);

    for(int i=0; i<chain.ChainStatus.Length;i++){
        Debug.Log("-");
        Debug.Log(chain.ChainStatus[i].Status);
        Debug.Log(chain.ChainStatus[i].StatusInformation);
    }
    return false;
}

+3

c # certificate unity3d

sissonb Apr 16 15 at 21:07

source to share

1 answer

aggsol · Accepted Answer · 2015-04-17T07:31:29+0000

If you purchased a TSL certificate, you should check the root and revocation status. This data must be validated to check if you are communicating with the correct endpoint.

If you are using a self-signed certificate then the fingerprint verification and validation date should be real-time. But the presence of the fingerprint stored in the app makes it easy to edit for a Man-in-the-Center attack as well.

You might ask about this and your protocol at https://security.stackexchange.com/

Ignore SslPolicyErrors when doing SSL encryption?

More articles: