locked
StreamSocket - client certificate Windows 8.1 app

    Question

  • I want to connect to a server using StreamSocket but i get this error:

    An exception of type 'System.Exception' occurred in mscorlib.dll but was not handled in user code
    
    Additional information: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)

    So I have added the certificate with PackageManifest -> Declarations and how can i use it in connection ?

    The UpgradeToSslAsync method does not support the use of client certificates - I have found on msdn but there is no info that cConnectAsync() doesn't supoort client certs. Is It possible ? If not how can i resolve this issue?

    Thursday, November 20, 2014 11:44 AM

Answers

  • If i connect this way i can comunicate with server - so GetResult ensures that handshake is finished i guess

    socket.ConnectAsync(host, port, SocketProtectionLevel.Ssl).GetAwaiter().GetResult();

    • Marked as answer by wisien92 Tuesday, November 25, 2014 6:48 PM
    Tuesday, November 25, 2014 6:48 PM

All replies

  • You're right, I don't see any prohibition on ClientCertificates for ConnectAsync.  I think that your problem is that the CA which issued the certificate isn't in the trusted CAs. Please see this blog post for instructions on how to include certificate roots in your app:

    http://blogs.msdn.com/b/wsdevsol/archive/2014/06/05/including-self-signed-certificates-with-your-windows-runtime-based-windows-phone-8-1-apps.aspx

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, November 20, 2014 1:23 PM
    Moderator
  • Well this is the blog that i followed in steps - but still i get error ;/ 

    Is it possible that the certificate is wron (I got it from guy that manages the server so the chances are low)

    Thursday, November 20, 2014 2:08 PM
  • If you manually install the root CA to the certificate store, does it work?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, November 20, 2014 4:16 PM
    Moderator
  • After installing manually still the same.

    I have one more information - as i have been said right now the certificate with cipher key is given to client during handshake - maybe this can tell you something why is that error showing and hopefully you could explain to me :)

    How can i ensure that the hanshake has finished?
    • Edited by wisien92 Friday, November 21, 2014 1:37 PM
    Friday, November 21, 2014 1:15 PM
  • It's not that the handshake failed, it's that the certificate's authority isn't trusted. Are you including the root CA certificate in the package manifest?  That has to be done in order for the cert to be trusted.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, November 21, 2014 1:55 PM
    Moderator
  • Yes I am.
    Friday, November 21, 2014 1:59 PM
  • but still i wonder how to ensure that the hanshake finished - couse the server guy told me that i  send data before tha hanshake has finished (this is another questtion that i wanted to ask)
    Friday, November 21, 2014 2:08 PM
  • I don't understand what he means or how he knows that.  Is there any change you can share a project?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.


    Friday, November 21, 2014 2:23 PM
    Moderator
  • He told me based on a log from server - i can paste here how i connect if that helps

    Friday, November 21, 2014 2:58 PM
  • Yes, please.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, November 21, 2014 3:53 PM
    Moderator
  • private Boolean connected = false;
    
    private DataReader reader;
    private DataWriter writer;
    
    private StreamSocket socket;
    
    HostName host = new HostName("XXX");
    string port = "YYY";
    
    public SocketConnectionTestPage()
    {
        this.InitializeComponent();
        socket = new StreamSocket();
    }

    Abovi is my initialization.

    This is my connect function that i run on button click :

     async private void Cnn_Click(object sender, RoutedEventArgs e)
            {
                if (connected)
                    return;
    
                try
                {
                    await socket.ConnectAsync(host, port, SocketProtectionLevel.Ssl);
    
                    writer = new DataWriter(socket.OutputStream);
                    reader = new DataReader(socket.InputStream);
    
                    var longRuinningTask = Task.Factory.StartNew(Read, null, TaskCreationOptions.LongRunning);
    
                    StatusText.Text = "Połączono";
                    connected = true;
                }
                catch (Exception exception)
                {
                    if (SocketError.GetStatus(exception.HResult) == SocketErrorStatus.Unknown)
                    {
                        throw;
                    }
                    //Here i ignore the errors to connect anyway in 2nd try
                    if (socket.Information.ServerCertificateErrorSeverity == SocketSslErrorSeverity.Ignorable && socket.Information.ServerCertificateErrors.Count > 0)
                    {
                        socket.Control.IgnorableServerCertificateErrors.Clear();
                        foreach (ChainValidationResult ignorableError in socket.Information.ServerCertificateErrors)
                        {
                            socket.Control.IgnorableServerCertificateErrors.Add(ignorableError);
                        }
    
                    }
                    StatusText.Text = "Nie połączono      " + exception.ToString();
                }



    • Edited by wisien92 Friday, November 21, 2014 4:48 PM
    Friday, November 21, 2014 4:48 PM
  • I just went through your code and it works fine. Also, the procedure for adding a root CA certificate to the app works as expected. Just to be clear... the website's SSL certificate is NOT the same as the root CA certificate.  Are you 100% sure this is the right root CA certificate?


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, November 21, 2014 5:29 PM
    Moderator
  • One more thing... I don't see anywhere in this code that you're using Client Certificates, just an SSL connection to the server. Can you explain more about the Client Cert portion of this problem?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, November 21, 2014 5:30 PM
    Moderator
  • and how do i use the client certificate ? (i thought that if i added them in manifest they are used automaticly)
    Saturday, November 22, 2014 1:20 PM
  • You need to get the https part of this working first, then tackle the client certificate.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Saturday, November 22, 2014 2:57 PM
    Moderator
  • I have installed (and also inserted into manifest) new certificate with CN which is equal to the hostname but still i got these errors 

    - untrusted

    -invalid name

    But i found such information:

    'The client support for SSL/TLS does not include the ability to use client certificates.'

    So does this mean that i cannot use client certificates in anyway? 

    Tuesday, November 25, 2014 1:02 PM
  • 1) You still don't have HTTPS working properly.  You HAVE to get this working first.

    2) 'The client support for SSL/TLS does not include the ability to use client certificates.' - I think that you're right, Client certs aren't supports for StreamSockets.  Please describe the scenario and maybe we can come up with a workaround.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Tuesday, November 25, 2014 1:27 PM
    Moderator
  • 1) How can i get HTTPS working properly?

    2) Currently there is no client certificate verification on server side. The server during handshake is supposed to give it's certificate and cipherkey to client (so i guess it's server side ssl).

    When I ignore Untrusted and InvalidName errors I can see as a client that i'am connected but the handshake hasn't finished (and doesn't want to finish). And when i try to write to server he told me that he can see in logs that connection was not yet established.

    I am new to socket connections and ssl protection so i need some extra explanation. My friend that's writting similar android app has managed to get this working and hopefully tomorrow i will be able to find him and ask him about that.

    • Edited by wisien92 Tuesday, November 25, 2014 5:24 PM
    Tuesday, November 25, 2014 5:23 PM
  • If i connect this way i can comunicate with server - so GetResult ensures that handshake is finished i guess

    socket.ConnectAsync(host, port, SocketProtectionLevel.Ssl).GetAwaiter().GetResult();

    • Marked as answer by wisien92 Tuesday, November 25, 2014 6:48 PM
    Tuesday, November 25, 2014 6:48 PM