How to setup mutual TLS using HTTPClient in C#

Question

Hi,

I am facing one issue while doing mutual tls communication using HTTPClient (if it is not right forum to ask this question, please suggest the right one).

I have written a following code :--

System::Net::ServicePointManager::SecurityProtocol = SecurityProtocolType::Tls12;

HttpClient^ httpClient;
Task<HttpResponseMessage ^> ^ resultTask;

WebRequestHandler ^ clientHandler = gcnew WebRequestHandler();
clientHandler->ClientCertificates->Add(state->ptrClientCert);//add certificate of client provided by server
clientHandler->AuthenticationLevel = System::Net::Security::AuthenticationLevel::MutualAuthRequired;
httpClient = gcnew HttpClient(clientHandler);

        httpClient->DefaultRequestHeaders->Accept->Add("application/octet-stream");

        HttpContent ^ httpContent = gcnew ByteArrayContent(state->postBody);
httpContent->Headers->ContentType = gcnew MediaTypeHeaderValue("application/octet-stream");

if (resultTask->Wait(DefaultTimeOut)) //wait for finish
{
HttpResponseMessage ^ response = httpClient->PostAsync(state->httpRequest, httpContent)->Result;
SetResponse(response, state->darkClientRef, state->ptrHttprequest, state->appLog);
}

Now this code is not working as it is throwing exception that "Socket exception, remote host has closed the connection". My understanding says that possible reason can be that I am not setting the private key in my request as certificate only has public key.

Now my question is that how can I set my private key in this request ? In my search it seems that SSLStream class should be helpful for this but in every example of SSLStream, it is working with TCPClient not HTTPClient ?

Can somebody please guide me with useful example / link. I am using .Net framework 4.5.2.

Thnaks

Dev

Answer 1

Hi Devendra Tewari,

Thank you for posting here.

For your question, what is the language of your project? In your title, you want to do that in C#. But in your code, it is C++.

This is forum for C#. If your question is more related to C++, I will move it to C++ forum for suitable support.

We are waiting for your update.

Best Regards,

Wendy

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 2

Hi Wendy,

It is clr / cli. So all C++ and C# classes are available here. So even if some one can give example in pure C#, it will works for me. So, no need to move the question.

Thanks

Dev

Answer 3

HI Wendy,

One more information. I am using windows 7 and it is desktop application. I am using System.Net.HttpClient. Does it support TLS1.2 ? If not then what is the alternative for mutual tls 1.2 ?

Thanks

Dev

Answer 4

Hi,

It seems that I am ending in a issue where I have to convert my PKCS8 private key in to RSAProvider interface in order to set in X509Certificate. Key has been generated using EVP_PKEY2PKCS8 function of OpenSSL.

I have sued following links to convert the key but they did not work.

https://codereview.stackexchange.com/questions/151376/public-key-chunked-encryption-with-c-method-to-decrypt

https://stackoverflow.com/questions/243646/how-to-read-a-pem-rsa-private-key-from-net

Can someone direct me the right example which I can use to convert the key.

Thanks

Dev

Answer 5

Hi,

No reply :( . I am expecting it was widely used in C# application or is it not the right forum to ask this question. Please suggest.

Thanks

Dev

Answer 6

Hi Decendra Tewari,

Sorry for late reply.

>> I am using System.Net.HttpClient. Does it support TLS1.2 ? If not then what is the alternative for mutual tls 1.2 ?

If your .net framework is 4.5.2 and you want to support, please upgrade to 4.6+.

For more details, please refer to the MSDN article.

https://docs.microsoft.com/EN-US/dotnet/framework/migration-guide/retargeting/4.5.2-4.6

>Can someone direct me the right example which I can use to convert the key.

What is the type of your PKCS8? If it is DER, you could use   X509Certificate.CreateFromSignedFile Method (String)to create X.509v3 certificate. And then to use X509Certificate to do load or other things you want.

Best Regards,

Wendy

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

Answer 7

Hi Wendy,

I have solved the issue. Problem is that I am using ECS based pkcs8 key while X509 support only RSA based pkcs8 key. Only solution of it is to create .pfx / p12 file for this. However I dont know why X509 does not support ECS basis pkcs8 key. any insight ?

Thanks

Devendra

Answer 8

Hi Devendra Tewari,

If your question has been solved, please mark the reply as answer.

>>However I dont know why X509 does not support ECS basis pkcs8 key. any insight ?

Because RSA is not used exclusively inside X509 and SSL/TLS, a more generic key format is available in the form of PKCS#8, that identifies the type of private key and contains the relevant data.

For more details, please refer to the following link.

https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem

Best Regards,

Wendy

Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. 

Microsoft does not control these sites and has not tested any software or information found on these sites; Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.

There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. 

---

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.