ssl and signed cert

Question

Hi,

I have own CA, I have genrated cert for server. My server has been run on unix platform(only for test) by openssl use

openssl s_server -accept 6666 -cert server.cert -key server.key -CAfile root.cert

When I try valid cert I get error that RemoteCertificateChainErrors. Below could be found client code:

// The following method is invoked by the RemoteCertificateValidationDelegate.
        public static bool ValidateServerCertificate(
              object sender,
              X509Certificate certificate,
              X509Chain chain,
              SslPolicyErrors sslPolicyErrors)
        {
            SslPolicyErrors errors = sslPolicyErrors;
            if (errors != SslPolicyErrors.None)
            {
                Console.WriteLine("Certificate error: {0} ", errors);
            }
            if (((errors & SslPolicyErrors.RemoteCertificateChainErrors) ==
                  SslPolicyErrors.RemoteCertificateChainErrors))
            {
                //Console.WriteLine("Certificate error: {0} Certificate chain empty. Self signed certificate? butstill continued");
                errors -= SslPolicyErrors.RemoteCertificateChainErrors;
            }

            if (((errors & SslPolicyErrors.RemoteCertificateNameMismatch) ==
                  SslPolicyErrors.RemoteCertificateNameMismatch))
            {
                errors -= SslPolicyErrors.RemoteCertificateNameMismatch;
            }

            if (errors == SslPolicyErrors.None)
                return true;

            Console.WriteLine("Certificate error: {0}", sslPolicyErrors);

            // Do not allow this client to communicate with unauthenticated servers.
            return false;
        }
        public static void RunClient(string machineName, string serverName)
        {
            // Create a TCP/IP client socket.
            // machineName is the host running the server application.
            TcpClient client = new TcpClient(machineName, 6666);
            Console.WriteLine("Client connected.");
            // Create an SSL stream that will close the client's stream.
            SslStream sslStream = new SslStream(
                client.GetStream(),
                false,
                new RemoteCertificateValidationCallback(ValidateServerCertificate),
                null
                );
            // The server name must match the name on the server certificate.
            try
            {
                X509Certificate clientCertificate;
                X509CertificateCollection clientCertificatecollection = new X509CertificateCollection();

                clientCertificate = X509Certificate.CreateFromCertFile("c:\\root.pem");
                //clientCertificatecollection.Add(clientCertificate);

                clientCertificatecollection.Add(clientCertificate);

                sslStream.AuthenticateAsClient(serverName, clientCertificatecollection, SslProtocols.Ssl3, true);
            }
.....

Please help me, I don't know what might be wrong. When I use openssl s_client, it seems that is OK.

Br,
Tomasz

Answer 1

Hello,

I am moving this post to Visual C# General Forum so you can get better and quicker response as this forum is for the setup and installation of visual studio.

Thank you for your understandin.

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Send us any feedback you have about the help from MSFT at fbmsdn@microsoft.com.

Answer 2

That error message only means that there is something wrong in the chain.

Do the following:

foreach (X509ChainStatus chainStatus in chain.ChainStatus)

{

   Console.WriteLine("\t" + chainStatus.Status);

}

And see what you get.

       -Steve

---

Programming blog: http://nitoprograms.blogspot.com/
  Including my TCP/IP .NET Sockets FAQ

Microsoft Certified Professional Developer

Answer 3

Certificate error: RemoteCertificateChainErrors
        UntrustedRoot
        RevocationStatusUnknown
        OfflineRevocation

I don't know if it matter, but I have generated cert via openssl.

Answer 4

You need to install the root in your Trusted Root Certificate Authorities store, and either get a CRL in there too, or ignore Revocation errors.

        -Steve

---

Programming blog: http://nitoprograms.blogspot.com/
  Including my TCP/IP .NET Sockets FAQ

Microsoft Certified Professional Developer

Answer 5

Ok, now works fine :)
But, other scenario :) I don't want to import root cert to Trusted Root Certification Auth..., but reads in my application and check. Is it possible?

Answer 6

I couldn't find any solutions for this or for example added cert from disk to Trusted Root Certification Auth.. on machine.

Answer 7

In that case, you need to ignore the automatic certificate chain checking (it only works with the Trusted Root store), and do your own chain checking.

Expect those errors and then double-check that the last certificate in the chain has the same thumbprint as your root cert.

       -Steve

---

Programming blog: http://nitoprograms.blogspot.com/
  Including my TCP/IP .NET Sockets FAQ

Microsoft Certified Professional Developer

Answer 8

So, if am I right, in this case I don't need cert signed by root,  it suffice cert generated only for server. Maybe, is another option, another approach?