Home > OS >  Rejecting all client certificates in IIS
Rejecting all client certificates in IIS

Time:09-17

Just as this person, I've been struggling a bit with browsers caching SSL sessions. In short, if a client certificate is selected, there is no way to clear the state programmatically, except in IE using document.execCommand("ClearAuthenticationCache").

One of the answers mentions that making a request to "a URL on the same hostname that requires a client certificate but rejects all certificates" it would force the browser to clear the SSL session. How can I set up such an endpoint in IIS? Because I presume I need more than just a simple endpoint returning http status 403 or similar.

CodePudding user response:

The SSL negotiation happens before the endpoint request is sent, so there is no way of "rejecting a certificate" based on the endpoint (you can perhaps force renegotiation, but I'm not sure IIS supports it).

But you can maybe set up the same hostname and a different port and disable client certificates there. Since the hostname matches (being the same...), I'd expect the browser to try them, and fail.

CodePudding user response:

Short Answer: delete sslcert [ipport=]IP Address:port ref

If you want to script/automate it in code, you could do it in C# in two steps below, you would need to adapt the code to suit your needs

1. Get your certs

using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
     store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

     // Get /Display a list of all the certificates
     foreach (var x in store.Certificates)
     {
         // *** TODO

         // add it to a drop down
         // SomeDropDownListControl_IISCert.Items.Add(new SomeDropDownListControl_IISCert(x.FriendlyName, x.SerialNumber));

         //or delete it, see Below
        
     }
}

2. Build the command and pass the cert and delete it with the Shell Command

    StringBuilder str = new StringBuilder();
    ProcessStartInfo psi = new ProcessStartInfo() {CreateNoWindow = true, UseShellExecute = false, RedirectStandardOutput = true};
    psi.FileName = "netsh";

    psi.Arguments = $"http show sslcert ipport=0.0.0.0:{port}";
    Process procShow = Process.Start(psi);
    while (procShow != null && !procShow.StandardOutput.EndOfStream)
    {
        str.Append(procShow.StandardOutput.ReadLine());
    }
    Log.Warn(str.ToString);

    // delete IPV4.
    psi.Arguments = $"http delete sslcert ipport=0.0.0.0:{port}";
    Process procDel = Process.Start(psi);
    //exitCode = procDel.ExitCode;

Page link:https//www.codepudding.com/os/117998.html

Prev:How to check TLS version of request when web service is called via button click?
Next:What if I keep public key and publish the private one?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding