EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Server Certificate Validation

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#17752
Posted: 10/06/2011 07:11:52
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hi again,
I'm using version 7.2.0.171 and have a valid license key.

I was creating a SSL server, following the sample given in

SecureBlackbox.NET\Samples\C#\SSLBlackbox\SSLSocketDemo\Server

Because I couldn't satisfy various browsers (although I applied a valid server certificate plus the root CA), I tried your sample and ran openssl against it:

These are the results. The question is: What does that all mean? It doesn't look very reliable...

C:\OpenSSL\bin>openssl s_client -showcerts -connect localhost:443
Loading 'screen' into random state - done
CONNECTED(00000730)
depth=0 /C=US/CN=SSL/TLS Server Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/CN=SSL/TLS Server Certificate
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/CN=SSL/TLS Server Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/CN=SSL/TLS Server Certificate
i:/C=US/CN=Well Known Authority
-----BEGIN CERTIFICATE-----
MIICXDCCAcWgAwIBAgIRAJpAQQ0RbINKjHOfOtNCzyowDQYJKoZIhvcNAQEFBQAw
LDELMAkGA1UEBhMCVVMxHTAbBgNVBAMTFFdlbGwgS25vd24gQXV0aG9yaXR5MCAX
DTA1MDYwMzAwMDAwMFoYDzMwMDUwNjAzMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEj
MCEGA1UEAxMaU1NML1RMUyBTZXJ2ZXIgQ2VydGlmaWNhdGUwgaAwDQYJKoZIhvcN
AQEBBQADgY4AMIGKAoGBALd2nmfeq1BqN+/fWJNTDJQ+w33Qa6TbJz3adJnQ9ild
PWVpCh3LTRKptewdlTHvrQhNwSqCi2wfirn6igkcHy5q0lh7vdRtwbPG2Y1pALEt
8Jh8OvaFGlKADKSzs8FVnl5ZrKXbophG2Z+aoGkjJkFIo8R71o9wy6Q8bJsalQg9
AgQAAQABo3UwczAkBgNVHSMBAQAEGjAYoBYEFL5pCO5I1AeByAZbsgTwPNV0j0bg
MCAGA1UdDgEBAAQWBBQOL54AbBmsnRQ1qrsI3mKlSMijcDAPBgNVHQ8BAf8EBQMD
ALgAMBgGA1UdHwEBAAQOMAwwCqACoAChBAMCAH8wDQYJKoZIhvcNAQEFBQADgYEA
mXkl1l0z6BCHfaxPaO5R1p6eX7gLT93IDlV1vCc/vevR6BS1ivotJDKNvpoLupc3
H+b7nBTsi9YUdVKBRH4LeBzC2K2K1pDIXL752lGH7IThMEm80vc+0t929//vmr9H
Nk0tCtByJmEJpaQvA9N13qxTb4q4yzyha5pNtOd9H7c=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/CN=SSL/TLS Server Certificate
issuer=/C=US/CN=Well Known Authority
---
No client certificate CA names sent
---
SSL handshake has read 1047 bytes and written 258 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 03ED3704BAA58BBB088F764CAE4FDE97B8D7D012BD46011346F8B2A0A44C7EF4

Session-ID-ctx:
Master-Key: CADD70C67570CC848AB4EB4817F10501CC67C138339A7099B51EF4919A5AD57D
40F9F023AF35A1CE25D556E80D2DAB0A
Key-Arg : None
Start Time: 1317902297
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---


Regards
#17753
Posted: 10/06/2011 07:26:26
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Try to use OpenSSL -CAfile parameter, which points to a file with the public keys of the CA's you want to trust.
#17754
Posted: 10/06/2011 07:40:30
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Hi Vsevolod

thanks for the quick answer. The point is: What do I have to do server side in order to pass the client validation?

For now I added the server certificate and all CAs along the way to the root, including the root itself. And I set ForceCertificateChain to true. Is that correct? Or do I just have to put my server cert into the cert storage? From the validation result it seems to be the same...

Kind regards
#17755
Posted: 10/06/2011 07:52:30
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
For now I added the server certificate and all CAs along the way to the root, including the root itself.

Thats right. You should put all certificates that create a chain to the CertStorage.

Note that server's CertStorage must have corresponding private keys. It is possible to put several certificates without private keys which create a certificate chain, but the ending certificate of the chain must have the private key anyway.

If client receives a full certificate chain and a root certificate is trusted on client side (stored in system trusted storage, declared using -CAfile etc.; depends on client's software) then your server will successfully pass validation.

If your certificate is issued by well known authority then is is possible that corresponding root certificate is already installed into your system trusted storage. Then you can try to connect to the server using web-browser or other client that uses these storages.
#17756
Posted: 10/06/2011 08:07:11
by neil young (Standard support level)
Joined: 11/05/2007
Posts: 96

Quote
Note that server's CertStorage must have corresponding private keys. It is possible to put several certificates without private keys which create a certificate chain, but the ending certificate of the chain must have the private key anyway.


Yes, can confirm that. Just one question: I added the server cert including private key first, after that I added the cert chain. That seems to work, so order of Add doesn't matter, right?

Thanks for the clarification. It works now, as expected. OpenSSL was happy, after I added the CAFile parameter.

Kind regards
#17757
Posted: 10/06/2011 08:19:45
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
That seems to work, so order of Add doesn't matter, right?

Right.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 999 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!