locked
SslStream client authentication fails

    Question

  • I have set up a client and server app for testing SslStream. Connecting and
    authentication works fine as long as a client certificate is not requested.
    When I call AuthenticateAsServer with the clientCertificateRequired
    parameter set to true, authentication fails.
    In the RemoteCertificateValidationCallback (on the server) the sslPolicyErrors
    parameter has a value of SslPolicyErrors.RemoteCertificateNotAvailable,
    the certificate and chain parameters are null.

    Debugging the client I am sure that I am passing a non-null certificate.
    I used MakeCert to create this client certificate signed by
    the same test authority that was used for the server certificate.

    Is it possible that client authentication does not yet work?
    I am using VS 2005 Beta 2.

    Thanks for any insights,

    Karl
    Wednesday, September 28, 2005 3:20 AM

Answers

  • Yes. The first one you mentioned(with LocalCertificateSelectionCallback, cert is not transferred) is a bug in Beta2. It has been fixed in RTM. I will check the second part (Another odd fact is that the callback occurs twice, the first time with an empty list of acceptableIssuers, the second time with a list of the CAs in my store.) and will get back to you soon.. Thanks for letting us know.

    Wednesday, September 28, 2005 4:46 PM

All replies

  • Client Certs do work. There may be some bugs in Beta2 but I have tried
    that in the past and remember that it used to work.
    You may want to post the client code and server code sample and
    we can take a look

    Wednesday, September 28, 2005 5:06 AM
    Moderator
  •  Durgaprasad Gorti wrote:
    Client Certs do work. There may be some bugs in Beta2 but I have tried
    that in the past and remember that it used to work.
    You may want to post the client code and server code sample and
    we can take a look



    I have more info: The problem happens only if I supply a LocalCertificateSelectionCallback. If I pass null to the SslStream constructor, the client authenticates fine. Another odd fact is that the callback occurs twice, the first time with an empty list of acceptableIssuers, the second time with a list of the CAs in my store.

    The code for the LocalCertificateSelectionCallback is:


    public virtual X509Certificate SelectCertificate(
       object sender,
       string targetHost, 
       
    X509CertificateCollection localCertificates,
       X509Certificate remoteCertificate,
       string[] acceptableIssuers)
    {
       
    X509Certificate result = null
       
    // select the first by default
       
    if (localCertificates.Count > 0)
          result = localCertificates[0];
       return result;
    }

     


    Karl
    Wednesday, September 28, 2005 1:15 PM
  • Yes I believe this is a bug in beta2. I will follow up with the SSL person and
    respond back to you to see whether this issue still exists in RTM
    Wednesday, September 28, 2005 3:28 PM
    Moderator
  •  Durgaprasad Gorti wrote:
    Yes I believe this is a bug in beta2. I will follow up with the SSL person and
    respond back to you to see whether this issue still exists in RTM


    Thanks!
    Wednesday, September 28, 2005 3:38 PM
  • Yes. The first one you mentioned(with LocalCertificateSelectionCallback, cert is not transferred) is a bug in Beta2. It has been fixed in RTM. I will check the second part (Another odd fact is that the callback occurs twice, the first time with an empty list of acceptableIssuers, the second time with a list of the CAs in my store.) and will get back to you soon.. Thanks for letting us know.

    Wednesday, September 28, 2005 4:46 PM
  • I'm having the same problem. But this is when using Visual Studio 2008 with .NET 3.5.

    Did we reach to a solution to this problem :) ?

    CDP
    Thursday, March 05, 2009 6:32 PM