none
Sslstream Mutual Authentication : Client Certificate is NULL at Server RRS feed

  • Question

  • I am trying to establish a mutual authentication between a TCP Server and Client using SSLStream asynchronus APIs. I am using two self signed certificates in PFX format that is installed in Trusted Root Authority in both LocalComputer and Current User Account at both Server and Client Machine.

    When I am running Server at my machine(Windows 7 OS 64 Bit) and Client at (Windows 7 OS 32 Bit)  there is no error and both client server are authenticating each other. But when I reversed the Client and Server PC , At Server machine I am getting an exception saying that "Remote Certificate is invalid according to validation Procedure". Please suggest if I am missing anything.

        **Server Code:**
         _
        
            securestream = new SslStream(tcpClient.GetStream(), false,new RemoteCertificateValidationCallback(ValidateClientCertificate));
            
            string certPath = System.Reflection.Assembly.GetEntryAssembly().Location;
                                        certPath = Path.GetDirectoryName(certPath);
                                        certPath = Path.Combine(certPath, "MyServer.pfx");
            serverCertificate = new X509Certificate2(certPath,"password");
            
            _securestream.BeginAuthenticateAsServer(serverCertificate, true, SslProtocols.Ssl3, true, new AsyncCallback(AuthenticationCallback), _securestream);
            
            private bool ValidateClientCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
                    {
                        if (certificate != null)
                        {} else {//Always Comes Here in Problem Situation}
             private void AuthenticationCallback(IAsyncResult result)
             {
                 try
                 {
                      if (result.IsCompleted)
                      {
                         _securestream.EndAuthenticateAsServer(result);......}
            catch(Exception e){//Always gets exception here}
        
        **Client Code:**
        
        string certPath = System.Reflection.Assembly.GetEntryAssembly().Location;
                            certPath = Path.GetDirectoryName(certPath);
                            certPath = Path.Combine(certPath, ConfigurationManager.AppSettings["SSLClientCertName"]);
                            certCollection=new X509Certificate2Collection();
                            certCollection.Add(new X509Certificate2(certPath, ConfigurationManager.AppSettings["SSLClientCertPassword"], X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));
        
        _securestream = new SslStream(_tcpSocket.GetStream(),true,new RemoteCertificateValidationCallback( ValidateServerCertificate));
        
         _securestream.BeginAuthenticateAsClient(_targetHost, certCollection, SslProtocols.Default, true, new AsyncCallback(AuthenticationCallback), _securestream);

    ...........
    Thursday, November 6, 2014 2:06 PM

Answers

  • Dear MSDN Team,

    After spending around 10 days , finally I found the reason.

    The reason is at 32 bit Machine, Server  is not sending all list of root CA to Client and that's why always Client authentication fails in SSL Negotiation. Actually when Client will not find the list of root CAs to validate its own certificate against it. That's why Client will not send its certificate to Server.

    Please use below link and click on fix it for the solution. I dont know the solution is in the Windows Registry . :) I am posting the soultion as many person has found this problem with sslstream.

    It would be good if you provide a note section with this solution on Sslstream Class in MSDN documentation.

    https://support.microsoft.com/kb/2801679?wa=wsignin1.0

    One can also do these registry changes manually -

    Delete the following registry key: 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

    To do this, follow these steps:
    1. Start Registry Editor
    2. Locate the following registry subkey: 

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    3. Right-click and then delete the key that is called "Certificates"
    Note Make sure that you make a backup of the registry and affected keys before you make any changes to your system.

    Moreover I would also like to give the deatils for generating and installing self signed certificate for mutual authentication using Sslstream.

    Step1- Generate self signed root , server and client certificate as per below link-

    http://www.codeproject.com/Tips/159604/SSL-MakeCert-pvk-pfx-Client-Server-Certificate-Gen

    Step2- Place CA certificate in LocalComputer->Trusted Root Aythroties by mmc.exe (run as administrator) in both Client and Server Machine.

    Step3- Place Client  Certificates (Pfx format) in LocalComputer->Personal at Client Machine.

    Step4- Place Server Certificate (Pfx format) in  LocalComputer->Personal at Server Machine.

    And now you can start playing with Sslstream Mutual Authentication :):)..

    Thanks,

    Vishal

    • Marked as answer by VishalKPandey Friday, November 7, 2014 3:22 PM
    Friday, November 7, 2014 3:22 PM

All replies

  • Hello VishalKPandey,

    >>I am using two self signed certificates in PFX format that is installed in Trusted Root Authority in both LocalComputer and Current User Account at both Server and Client Machine

    If it means both the Sever and the Client has MySever.pfx and MyClient.pfx stored in their Trusted Root Authority, if not, please exchange the .pfx files when exchanging applications.

    >> But when I reversed the Client and Server PC , At Server machine I am getting an exception saying that "Remote Certificate is invalid according to validation Procedure".

    This error shows the process is not being able to validate the Server Certificate supplied by the Server during an SSL request. Here is a blog specially for troubleshooting this error, you could refer to it:

    http://blogs.msdn.com/b/jpsanders/archive/2009/09/16/troubleshooting-asp-net-the-remote-certificate-is-invalid-according-to-the-validation-procedure.aspx

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, November 7, 2014 6:31 AM
    Moderator
  • Thanks for a quick reply .

    I have seen the link, But in my case the situation is little different.Client is always able to authenticate server. 

    -> At Server Side(Only on 32 bit Windows OS)  , I am getting SSLPolicy Error as RemoteCertificateNull .

    ->The same server when I am running on Windows  64 bit OS , No errors and mutual authentication is happening.

    I have checked in the Client  code , I am passing a valid Client Certificate Collection while sslstream.BeginAuthenticateasClient(). 

    Do sslstream has some prerequisties on Windows 7 32 bit OS ? Even when I am running both Server and Client on it, the same problem (Client Certificate is not being sent in Handshake) is there. 

    Please suggest I have tried various certificates (using openssl, makecert etc.) but no luck.

    I am also surprised why its working on Windows 64 bit OS and not on 32 bit. 

    Thanks,

    Vishal

    • Marked as answer by VishalKPandey Friday, November 7, 2014 3:06 PM
    • Unmarked as answer by VishalKPandey Friday, November 7, 2014 3:06 PM
    Friday, November 7, 2014 2:13 PM
  • Dear MSDN Team,

    After spending around 10 days , finally I found the reason.

    The reason is at 32 bit Machine, Server  is not sending all list of root CA to Client and that's why always Client authentication fails in SSL Negotiation. Actually when Client will not find the list of root CAs to validate its own certificate against it. That's why Client will not send its certificate to Server.

    Please use below link and click on fix it for the solution. I dont know the solution is in the Windows Registry . :) I am posting the soultion as many person has found this problem with sslstream.

    It would be good if you provide a note section with this solution on Sslstream Class in MSDN documentation.

    https://support.microsoft.com/kb/2801679?wa=wsignin1.0

    One can also do these registry changes manually -

    Delete the following registry key: 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

    To do this, follow these steps:
    1. Start Registry Editor
    2. Locate the following registry subkey: 

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    3. Right-click and then delete the key that is called "Certificates"
    Note Make sure that you make a backup of the registry and affected keys before you make any changes to your system.

    Moreover I would also like to give the deatils for generating and installing self signed certificate for mutual authentication using Sslstream.

    Step1- Generate self signed root , server and client certificate as per below link-

    http://www.codeproject.com/Tips/159604/SSL-MakeCert-pvk-pfx-Client-Server-Certificate-Gen

    Step2- Place CA certificate in LocalComputer->Trusted Root Aythroties by mmc.exe (run as administrator) in both Client and Server Machine.

    Step3- Place Client  Certificates (Pfx format) in LocalComputer->Personal at Client Machine.

    Step4- Place Server Certificate (Pfx format) in  LocalComputer->Personal at Server Machine.

    And now you can start playing with Sslstream Mutual Authentication :):)..

    Thanks,

    Vishal

    • Marked as answer by VishalKPandey Friday, November 7, 2014 3:22 PM
    Friday, November 7, 2014 3:22 PM
  • Hello VishalKPandey,

    I'm glad to hear that you got it working and thank you for sharing your solutions & experience here. It will be very beneficial for other community members who have similar questions.

    Fred.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, November 10, 2014 1:19 AM
    Moderator