HTTPWebRequest Remote Certificate Name Mistmatch

Question

I'm trying to make an SSL call using HTTPWebRequest and its continually failing saying it can't establish trust. I've added a callback to ServicePointManager.ServerCertificateValidationCallback and returning true always works. However, I'd like things to be a little more secure than that. Looking at the SslPolicyErrors in the validation method it appears that I'm getting a RemoteCertificateNameMismatch error. What isn't matching up correctly to cause this kind of error?

(edit: see comments in the answer) The site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com.

Answer 1

General certificate issues:

• certificate not issued by a trusted certificate provider (must be in your trust chain)
• certificate expired

This specific error usually means that the certificate isn't issued for the site you are hitting. Examples:

• difference between "www.yoursite.com" and "yoursite.com" (they are different; some big names get this wrong, which really annoys me...)
• accessing as an IP address instead of the name on the cert; or v/v
• a load balancer redirecting you to "server1,yoursite.com" but giving you the cert from "yoursite.com"
• a load balancer silently passing you to "server1", which is issuing certificates for "server1", not the site
• (edit see comments) a wildcard certificate issued for multiple levels - i.e. issued to *.somesite.org, when you are hitting foo.bar.somesite.org

Most of these are readily identifiable by navigating to the site and reading the warnings that your browser gives you, and inspecting the certificate that got issued.