StreamSocket - client certificate Windows 8.1 app

Question

I want to connect to a server using StreamSocket but i get this error:

An exception of type 'System.Exception' occurred in mscorlib.dll but was not handled in user code

Additional information: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)

So I have added the certificate with PackageManifest -> Declarations and how can i use it in connection ?

The UpgradeToSslAsync method does not support the use of client certificates - I have found on msdn but there is no info that cConnectAsync() doesn't supoort client certs. Is It possible ? If not how can i resolve this issue?

Answer 1

You're right, I don't see any prohibition on ClientCertificates for ConnectAsync.  I think that your problem is that the CA which issued the certificate isn't in the trusted CAs. Please see this blog post for instructions on how to include certificate roots in your app:

http://blogs.msdn.com/b/wsdevsol/archive/2014/06/05/including-self-signed-certificates-with-your-windows-runtime-based-windows-phone-8-1-apps.aspx

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 2

Well this is the blog that i followed in steps - but still i get error ;/ 

Is it possible that the certificate is wron (I got it from guy that manages the server so the chances are low)

Answer 3

If you manually install the root CA to the certificate store, does it work?

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 4

After installing manually still the same.

I have one more information - as i have been said right now the certificate with cipher key is given to client during handshake - maybe this can tell you something why is that error showing and hopefully you could explain to me :)

How can i ensure that the hanshake has finished?

Answer 5

It's not that the handshake failed, it's that the certificate's authority isn't trusted. Are you including the root CA certificate in the package manifest?  That has to be done in order for the cert to be trusted.

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 6

Yes I am.

Answer 7

but still i wonder how to ensure that the hanshake finished - couse the server guy told me that i  send data before tha hanshake has finished (this is another questtion that i wanted to ask)

Answer 8

I don't understand what he means or how he knows that.  Is there any change you can share a project?

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 9

He told me based on a log from server - i can paste here how i connect if that helps

Answer 10

Yes, please.

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 11

private Boolean connected = false;

private DataReader reader;
private DataWriter writer;

private StreamSocket socket;

HostName host = new HostName("XXX");
string port = "YYY";

public SocketConnectionTestPage()
{
    this.InitializeComponent();
    socket = new StreamSocket();
}

Abovi is my initialization.

This is my connect function that i run on button click :

 async private void Cnn_Click(object sender, RoutedEventArgs e)
        {
            if (connected)
                return;

            try
            {
                await socket.ConnectAsync(host, port, SocketProtectionLevel.Ssl);

                writer = new DataWriter(socket.OutputStream);
                reader = new DataReader(socket.InputStream);

                var longRuinningTask = Task.Factory.StartNew(Read, null, TaskCreationOptions.LongRunning);

                StatusText.Text = "Połączono";
                connected = true;
            }
            catch (Exception exception)
            {
                if (SocketError.GetStatus(exception.HResult) == SocketErrorStatus.Unknown)
                {
                    throw;
                }
                //Here i ignore the errors to connect anyway in 2nd try
                if (socket.Information.ServerCertificateErrorSeverity == SocketSslErrorSeverity.Ignorable && socket.Information.ServerCertificateErrors.Count > 0)
                {
                    socket.Control.IgnorableServerCertificateErrors.Clear();
                    foreach (ChainValidationResult ignorableError in socket.Information.ServerCertificateErrors)
                    {
                        socket.Control.IgnorableServerCertificateErrors.Add(ignorableError);
                    }

                }
                StatusText.Text = "Nie połączono      " + exception.ToString();
            }

Answer 12

I just went through your code and it works fine. Also, the procedure for adding a root CA certificate to the app works as expected. Just to be clear... the website's SSL certificate is NOT the same as the root CA certificate.  Are you 100% sure this is the right root CA certificate?

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 13

One more thing... I don't see anywhere in this code that you're using Client Certificates, just an SSL connection to the server. Can you explain more about the Client Cert portion of this problem?

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 14

and how do i use the client certificate ? (i thought that if i added them in manifest they are used automaticly)

Answer 15

You need to get the https part of this working first, then tackle the client certificate.

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 16

I have installed (and also inserted into manifest) new certificate with CN which is equal to the hostname but still i got these errors 

- untrusted

-invalid name

But i found such information:

'The client support for SSL/TLS does not include the ability to use client certificates.'

So does this mean that i cannot use client certificates in anyway? 

Answer 17

1) You still don't have HTTPS working properly.  You HAVE to get this working first.

2) 'The client support for SSL/TLS does not include the ability to use client certificates.' - I think that you're right, Client certs aren't supports for StreamSockets.  Please describe the scenario and maybe we can come up with a workaround.

---

Matt Small - Microsoft Escalation Engineer - Forum Moderator
If my reply answers your question, please mark this post as answered.

NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

Answer 18

1) How can i get HTTPS working properly?

2) Currently there is no client certificate verification on server side. The server during handshake is supposed to give it's certificate and cipherkey to client (so i guess it's server side ssl).

When I ignore Untrusted and InvalidName errors I can see as a client that i'am connected but the handshake hasn't finished (and doesn't want to finish). And when i try to write to server he told me that he can see in logs that connection was not yet established.

I am new to socket connections and ssl protection so i need some extra explanation. My friend that's writting similar android app has managed to get this working and hopefully tomorrow i will be able to find him and ask him about that.

Answer 19

If i connect this way i can comunicate with server - so GetResult ensures that handshake is finished i guess

socket.ConnectAsync(host, port, SocketProtectionLevel.Ssl).GetAwaiter().GetResult();