EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Client authentication for SSL/TLS connection

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#36973
Posted: 06/10/2016 10:44:44
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

To give you a background on how I used this with .NET Framework code, I have pasted the code below.

In case of using the .NET framework, we have the client certificate in the local certificate store along with its private key. When using with blackbox library we are using the load from PFX file(thats the same PFX file we imported into the windows certificate store). We eventually want to use it from Windows CE code, but we are testing the code from the desktop to make sure it works before running on CE.

Code
    private TcpClient GetSSLStream(ref string hostName, ref int portNum, string serverCert, string clientCert)
        {
            // Create a TCP/IP client socket.
            TcpClient client = new TcpClient(hostName, portNum);
            // Create an SSL stream that will close the client's stream.
            var certValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
            var certSelectCallback = new LocalCertificateSelectionCallback(LocalCertificateSelection); //selects the first cert
            _stream = new SslStream(client.GetStream(), false, certValidationCallback, certSelectCallback);

            var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
         //This client certificate has the public and private key
            var clientCertificates = store.Certificates.Find(X509FindType.FindBySubjectName, clientCert, true);


            Logger.Debug("KMS_CLient Name : " + KMS_ClientName);
            try
            {
                _stream.AuthenticateAsClient(serverCert, clientCertificates, SslProtocols.Tls11, false);
            }
            catch (AuthenticationException ex)
            {
                Logger.Error(ex);
                throw ex;
            }

            if (client.Connected)
            {
                Logger.Debug("Client Authenticated");
                return client;
            }
            else
            {
                return null;
            }

        }
      
         public X509Certificate LocalCertificateSelection(object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers)
        {
            X509Certificate cert = default(X509Certificate);
            cert = localCertificates[0];

            Console.WriteLine("Client is selecting a local certificate.");
            return cert;
        }
#36974
Posted: 06/10/2016 11:04:21
by Eugene Mayevski (EldoS Corp.)

One more badly written server ...

Please comment out the client certificate stuff and try to connect to the server this way. Let's see what error (if any) is reported.

Also, does your code work with any other SSL/TLS server (you can check it with any HTTPS resource including www.eldos.com )?


Sincerely yours
Eugene Mayevski
#36976
Posted: 06/10/2016 11:18:12
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

I did taht and I still get the same error. Commeting out the client certificate part still has the same failure in the OnSend event handler
#36977
Posted: 06/10/2016 11:25:59
by Eugene Mayevski (EldoS Corp.)

does your code work with any other SSL/TLS server (you can check it with any HTTPS resource including www.eldos.com )?


Sincerely yours
Eugene Mayevski
#36978
Posted: 06/10/2016 11:42:54
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Eugene,

I havent checked with other servers that require client side authentication. But I wouldnt say that the server is badly written. As the server I am connecting to is from a highly known security company(FutureX) and they have this product working and used by different customers. I think the key is how the blackbox library picks the required client certificate from the .pfx file. Because, in the .NET library code I posted, I specifiy the leaf certificate name(which also has the private key) and send that certificate. In case of the .pfx file, the private key, the public certificate, the signing sub-ca's(3 of them) and then the root is all in the file. How does the blackbox library identify the leaf certificate?
#36979
Posted: 06/10/2016 12:07:21
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Also when I connect again after the first failure in the same SSL Chat Client exe, I get the SSL protocol error 78752. Attached the screenshot


#36980
Posted: 06/10/2016 12:27:52
by Eugene Mayevski (EldoS Corp.)

Lets focus on one problem/question at a time, please.

Please check your implementation of the SSL client *without* client-side authentication with some HTTPS server and let me know whether your client works.


Sincerely yours
Eugene Mayevski
#36981
Posted: 06/10/2016 13:19:48
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

It works with a server without client side authentication and can send and receive messages
#36982
Posted: 06/10/2016 13:58:59
by Eugene Mayevski (EldoS Corp.)

Wonderful. This means that the factor of code glitches can be excluded. Now we have two possible reasons of the problem:

1) the server doesn't like some TLS parameters like TLS version or allowed cipher suites.
2) the server doesn't like the authentication.

In both cases the properly written server would need to send the TLS-level alert, which would be reported via OnError event. The fact that one of the sides drops connection without reporting an error is an improper implementation of the standard. Now we need to know, which side drops connection.

Let's start with the following:

1) put a breakpoint or a debug message to OnCloseConnection event handler and see what the value of Reason parameter is.
2) modify the event handler of OnCloseConnection to have it create an instance of Diagnostics.StackTrace class and dump the value of StackTrace.ToString() method.

The above test will let us understand, where the exception is closed.


Sincerely yours
Eugene Mayevski
#36983
Posted: 06/10/2016 15:02:48
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Hi,

I dont get a callback for the OnCloseConnection event handler. It fails on the OnSend when we send data, I had a breakpoint and took the stack trace

at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.Socket.Send(Byte[] buffer)
at ElSecureChat.Client.MainClientWnd.ElSecureClientSend(Object sender, Byte[] buffer) in c:\Rohith\SSLBlackbox\Desktop\Server\Chat\Client\MainClientWnd.cs:line 376

The message of the exception

An established connection was aborted by the software in your host machine

And there was no inner exception or anything
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2554 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!