EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Client authentication for SSL/TLS connection

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#36984
Posted: 06/10/2016 17:01:10
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Eugene,

I talked to FutureX who maintains the server and what they are seeing at their end is that the entire CA tree of the client certificate is not sent. This is what I got back from them,

we aren’t getting back the sub-CA’s which signed the client certificates. From the logs, I see the following error:

Failed to validate SSL/TLS Pair 20 SSL Settings: Could not validate certificate and/or CRL chain.


So how I do specify in the blackbox library to send the entire tree. The .pfx file I add to the storage has the entire tree(I attached the picture of the tree from my local windows store).


#36985
Posted: 06/11/2016 03:53:00
by Eugene Mayevski (EldoS Corp.)

This means that the server forcefully closes connection.

Regarding the certificates to be sent - when you use ClientCertStorage approach, all certificates in the storage are sent. It's possible, that the server wants them in the different order, though. If this is the case, then you need to employ one more instance of TElMemoryCertStorage and add certificates to it one by one starting from the end-entity certificate (then use GetIssuerCertificate() method of the storage to get the next certificate).

The alternative method is to use OnCertificateNeededEx and pass certificates one by one to it. The event is fired in a loop until you return null. This lets you pass the certificate chain for authentication.


Sincerely yours
Eugene Mayevski
#36987
Posted: 06/11/2016 23:13:41
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Eugene,

The .pfx file I used had the certificates concatenated using the openssl commands and I had a PEM file for all the sub-ca and the root ca. Then I also combined that certificate and teh private key to make a .pfx file. Now when I use the TELMemoryCertStorage, it gives me only one certificate. How do I get all the certificates from the storage. All I got is the leaf certificate.
#36988
Posted: 06/12/2016 04:27:00
by Eugene Mayevski (EldoS Corp.)

If you have just one certificate after calling TElMemoryCertStorage.LoadFromSrteamPFX(), this means that your PFX indeed contains only one certificate. Could you tell me the exact size in bytes of your PFX file?


Sincerely yours
Eugene Mayevski
#36989
Posted: 06/12/2016 09:24:19
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

The size of the .pfx file is 8KB. I am pretty sure we have all the signed certificates in this file as this is the same certificate that I imported in my windows cert store and it showed the certificate tree i added before in this thread.
#36990
Posted: 06/12/2016 10:32:18
by Rohith Chinnaswamy (Priority Standard support level)
Joined: 06/09/2016
Posts: 16

Also I used the openssl command just now to verify that the .pfx file has the certificates

openssl pkcs12 -info -in <path to cert>

It listed the leaf certificate and all the sub-ca and the rootca tree.
#36993
Posted: 06/13/2016 03:39:23
by Eugene Mayevski (EldoS Corp.)

I welcome you to continue the conversation in the Helpdesk ( https://www.eldos.com/helpdesk/ ). I have moved your last messages to the HelpDesk for investigation.

Helpdesk is our easy-to-use individual support system that allows communicating and exchanging sample data with our support personnel privately. You will also get e-mail notifications about updates of your support request.


Sincerely yours
Eugene Mayevski
#36995
Posted: 06/13/2016 12:10:09
by Eugene Mayevski (EldoS Corp.)

For all readers - the problem was that TElX509Certificate.LoadFromStreamPFX was used instead of TEl*CertStorage.LoadFromStreamPFX. As TElX509Certificate represents one certificate, only one certificate of the chain was loaded. Replacing the call with TElMemoryCertStorage.LoadFromStreamPFX solved the problem.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2495 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!