EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to handle optional client authentication?

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#10274
Posted: 06/04/2009 07:25:56
by Thomas Krämer (Basic support level)
Joined: 06/04/2009
Posts: 1

Hello,

I am using the ElClientSSLSocket (C#/.NET Framework and .NET Compact Framework) to connect to a server which seems to have optional client authentication activated.

The long story:
After calling the ElClientSSLSocket.Connect method the registered OnCertificateNeededEx event handler is called, expecting me to provide a client certificate.
When using the class System.Net.WebRequest from the Microsoft .NET Framework 2 to connect to the same server, no client certificate is requested. The communication just works.
When using the class System.Net.WebRequest from the Microsoft .NET Compact Framework 2 to connect to the same server, on the other hand, an exception is thrown. The exception is telling me that client authentication is currently not supported by the .NET Compact Framework 2.

Unless the WebRequest class from the full .NET Framework is doing something magic, I guess it is correct to conclude that the server is using optional client authentication.

So my question is: How do I react to an optional client authentication request while using ElClientSSLSocket? Passing null as the value for the paramater "Certificate" in the OnCertificateNeededEx event handler results in the error ERROR_SSL_ILLEGAL_PARAMETER(75789).
#10290
Posted: 06/04/2009 09:38:56
by Eugene Mayevski (EldoS Corp.)

.NET SSL class takes certificates from Windows Certificate Storage automatically. This might be the case and the reason why you don't need to provide a certificate with WebRequest class.

In general, if client authentication is really optional on the server, then passing NULL in OnCertificateNeededEx (or just not implementing the event handler) will cause the connection to not use client authentication.


Sincerely yours
Eugene Mayevski
#10447
Posted: 06/22/2009 09:45:08
by Thorsten Bellm (Basic support level)
Joined: 06/22/2009
Posts: 2

Hello,
we currently have some problems with certificates.
First, the OnCertificateValidate-event is thrown and there, we try to validate the certificate:

Code
void sslClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
{
   FileStream fs = new FileStream("certificate.cer", FileMode.Open);
   X509Certificate.LoadFromStream(fs, 0);
   fs.Close();
   Validate = X509Certificate.Validate();
}


The bool-variable Validate is true and so everything seems ok.
After that, the OnCertificateNeededEx-event is thrown.

Code
void sslClient_OnCertificateNeededEx(object Sender, ref SBX509.TElX509Certificate Certificate)
{
   try
   {
      if (m_CertificateLoaded == false)
      {
         if (File.Exists("certificate.cer"))
         {
            Certificate = new SBX509.TElX509Certificate();
            FileStream fs = new FileStream("certificate.cer", FileMode.Open);
            Certificate.LoadFromStream(fs, 0);
            fs.Close();
            m_CertificateLoaded = true;
         }
      }
      else
      {
         Certificate = null;
      }
   }
   catch(Exception exc)
   {
      Certificate = null;
      throw new Exception(exc.Message);
   }
}


No exceptions and everything seems ok, too.

Directly after this event, the OnError-event is thrown.
The bool-variables Fatal and Remote are true. ErrorCode is 75789.

Code
void sslClient_OnError(object Sender, int ErrorCode, bool Fatal, bool Remote)
{
   System.Windows.Forms.MessageBox.Show("SSL Fehler: " + ErrorCode);
}


First we use the standard microsoft .NET (CF) functionality to use SSL. On Windows Mobile there are no problems. Just copy and install the certificate to the device. But on Windows CE devices, the Framework throw an exception, that certificates are not supported.
So we decided to use blackbox-components to use SSL with certificates.

We hope you can help us with the problem above. Thank you.

Best regards,
Thorsten Bellm
#10448
Posted: 06/22/2009 09:56:56
by Eugene Mayevski (EldoS Corp.)

Certificate validation is not that simple as you have used it, but let's omit this part at the moment (you can read about validation in How-to section of the help file, this is a complex procedure).

You are loading the certificate from .cer file. This is only a public part of certificate. It's not enough for client-side authentication. You need to load both public part and the corresponding private key in order to use such certificate for client-side authentication. When you load the certificate from PFX file, such file always contains a private key. Other formats not necessarily do. For description of various formats please search the help file or the site (use "DER PEM PFX" without quotes for search - this will give you the right article).


Sincerely yours
Eugene Mayevski
#10463
Posted: 06/24/2009 02:16:43
by Thorsten Bellm (Basic support level)
Joined: 06/22/2009
Posts: 2

We have created a PFX-file now and try to use this (with pfx-methods). But the OnError-event is also thrown and the error-Code is the same.
#10466
Posted: 06/24/2009 06:44:59
by Eugene Mayevski (EldoS Corp.)

First of all please check that the private key exists (PrivateKeyExists property of TElX509Certificate class) after loading the key from PFX.

Next, it can be that you need to send the complete certificate chain to the server, and not just your client-side certificate.
It can be that .NET Framework's SSL class (in fact, CryptoAPI) picks all certificates from the registry and sends the complete chain.
What you can do to test this is put the complete chain to one PFX file, then load this PFX file to TElMemoryCertStorage, then get the chain from the storage as a TElCertificateChain object. Then pass 0'th certificate from the chain in OnCertificateNeededEx.

Finally you need to inspect the logs of the server if possible. Maybe they contain some information.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2774 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!