EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL/TLS Socket problem

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#4875
Posted: 02/07/2008 03:50:33
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

Hello,

I am using the ElClientSSLSocket in order to connect to a remote server (not ours). This server requires TLS, with mutual authentication.

I am loading my certificate using the SBX509.TElX509Certificate.LoadFromStreamPFX method (private key included). I am then assigning it into an SBCustomCertStorage.TElMemoryCertStorage object (private key included). I then assign this TElMemoryCertStorage to the ElClientSSLSocket.CertStorage.

I have handled the OnCertificateNeededEx event, which I can confirm fires. The first time it fires I am setting the certificate parameter to ElClientSSLSocket.CertStorage.Certificates(0). The next time it fires, I am not setting the Certificate so that it does not fire again.

Having done this, I call the BeginConnect call. This is then firing a ReceiveCallback procedure, but the ElClientSSLSocket is not connected.

1. Is there any way to get a reason from the client as to why the connection failed? (the ElClientSSLSocket.CloseReason is 1(error).

2. Is there anything I am doing wrong regards setting my certificate? Do I need to load CA root certificate as well?

I can provide code in request if needed.

Thanks
#4876
Posted: 02/07/2008 05:33:08
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

I should add that I am using SBB version 5.2.0.124.

I have also just called InternalValidate on the SSL Client after loading the certificates, and I am getting "Storage Error" as the TSBCertificateValidity. The reason is 0.

Thanks
#4877
Posted: 02/07/2008 05:56:41
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Basing on your explanation, your code is in general correct and should work. Actually, there's one mistake in it -- CertStorage property should be used to specify trusted CA certificates (for server certificate validation), not the certificates of the client (handling OnCertificateNeededEx is enough to perform client authentication). However, this mistake should not affect the execution *in your particular case*.

Quote
1. Is there any way to get a reason from the client as to why the connection failed? (the ElClientSSLSocket.CloseRe­ason is 1(error).

Please handle the OnError event, it is fired if some protocol error occurs.

Quote
2. Is there anything I am doing wrong regards setting my certificate? Do I need to load CA root certificate as well?

Almost everything is done correctly at first glance.
Please do the following:
a) handle the OnCertificateValidate event and set Validate parameter to true inside it (it is a stub for server certificate validation procedure),
b) handle the OnError event, it might help to shed some light on the real reason of the problem.
#4878
Posted: 02/07/2008 06:22:30
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

Thanks for your reply

Quote
CertStorage property should be used to specify trusted CA certificates (for server certificate validation), not the certificates of the client (handling OnCertificateNeededEx is enough to perform client authentication)

Ah, ok, thanks. I did think that this was the case, but wasn't entirely sure. I have removed the CertStorage code, and am just using a standalone TElX509Certificate­ to send to the server.

Quote
handle the OnError event

Thanks, I have done this now. Because I hadn't got the full list of SBB assemblies in the GAC the onError and OnCertificateValidate were't listed in visual studio (because I had not loaded SSLCommon dll).

I've handled both of these events now, and am receiving the server certificate in the onValidate event. I am also getting an error in the onError event: 75784 - ERROR_SSL_BAD_CERTIFICATE

Is this just a general error? or does it indicate any specific problems? Do I need to load up a full cert chain for my certificate?

I am loading the cert in from a .pfx file which contains the private key. The .pfx file was generated by using the export function in IIS 6.

Thanks for your help
#4879
Posted: 02/07/2008 06:45:02
by Ken Ivanov (EldoS Corp.)

Quote
I've handled both of these events now, and am receiving the server certificate in the onValidate event. I am also getting an error in the onError event: 75784 - ERROR_SSL_BAD_CERTIFICATE

There are two possible reasons for this error to be returned. First, the certificate provided by the server is invalid or untrusted (please check that you are setting the Validate parameter to true inside the OnCertificateValidate event handler). Second, one of the client certificates passed via the OnCertificateNeededEx event is invalid. Please check that all the client certificates are loaded correctly (i.e., LoadFromStreamPFX returns 0).

Please also specify, does OnError fire *after* OnCertificateNeededEx or *before* it?
#4881
Posted: 02/07/2008 07:00:07
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

I can confirm that LoadFromStreamPFX does return 0, so I presume it is loaded correctly.

I am setting Validate = true within the OnValidate event:

Code
Private Sub m_SSLClient_OnCertificateValidate(ByVal Sender As Object, ByVal X509Certificate As SBX509.TElX509Certificate, ByRef Validate As Boolean) Handles m_SSLClient.OnCertificateValidate
    'TODO: Check Server Certificate?
    Validate = True
End Sub


Here is my OnCertificateNeededEx:

Code
Private Sub m_SSLClient_OnCertificateNeededEx(ByVal Sender As Object, ByRef Certificate As SBX509.TElX509Certificate) Handles m_SSLClient.OnCertificateNeededEx
    If Not m_certSent Then
        Certificate = m_mycert
        m_certSent = True
    Else
        Certificate = Nothing
    End If
End Sub


The order of events is:

- OnCertificateValidate (fires twice. Presumably because the server has 2 certs?)
- OnCertificateNeededEx
- OnError

Could the error message mean something else like: certificate not high enough encryption, for example?
#4882
Posted: 02/07/2008 07:19:04
by Ken Ivanov (EldoS Corp.)

Quote
I am setting Validate = true within the OnValidate event:

This code is correct.

Quote
Here is my OnCertificateNeededEx:

This code is correct too.

What is the value of the Remote parameter of the OnError event handler? If Remote is true, the certificate is likely to be rejected by the server (it might need the CA certificate that issued your certificate too).

Quote
Could the error message mean something else like: certificate not high enough encryption, for example?

SSL/TLS specification defines a relatively small set of error codes, most of which are defined in quite ambiguous way. The specification provides the following explanation for the 'bad certificate' error code:
Quote
bad_certificate
A certificate was corrupt, contained signatures that did not
verify correctly, etc.

So the "bad certificate" error actually means that the server didn't like your certificate for some reason (if Remote parameter is true).
#4883
Posted: 02/07/2008 07:33:09
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

Thanks for helping me with this. I really appreciate it.

The error does return Remote = True and Fatal = True.

I will try adding the CA certificate (the server seems to be sending me its cert with a chain attached - containing its CA cert too). Should I do this by loading the CA into the CertStorage of the SSLSocket?

The CA is "Equifax Secure Global eBusiness CA-1". I can export this from my browser as it is a standard root cert. Which format is best to use? DER, base64 or PKCS#7?

Thanks again
#4885
Posted: 02/07/2008 07:58:18
by Ken Ivanov (EldoS Corp.)

Quote
I will try adding the CA certificate (the server seems to be sending me its cert with a chain attached - containing its CA cert too). Should I do this by loading the CA into the CertStorage of the SSLSocket?

The chain should be passed using the OnCertificateNeededEx event starting from the end-entity certificate up to the root CA certificate (or to some intermediate CA certificate). I.e., you should return your certificate to the first call of OnCertificateNeededEx, the parent of your certificate should be returned to the second call and so on. When the [sub]chain is passed completely, set the Certificate parameter to Nothing to indicate that the chain is over.

Please note, that the end-entity certificate object should contain a corresponding private key. All further certificates may not contain a private key.

Quote
I can export this from my browser as it is a standard root cert. Which format is best to use? DER, base64 or PKCS#7?

Well, it does not matter actually, so you can use either format. Just remember to use the corresponding method of TElX509Certificate object to load it (LoadFromStream/LoadFromStreamPEM/LoadFromStreamSPC).
#4887
Posted: 02/07/2008 08:30:49
by Andrew Milne (Standard support level)
Joined: 06/16/2006
Posts: 18

Have added in the CA now, and am passing it to the second firing of OnCertificateNeededEx. I'm no longer getting the onError event firing.

However, I after calling BeginConnect, i'm not getting any response...the connect callback never fires! Monitoring the connections with "netstat 1" shows that connection is ESTABLISHED, but drops immediately....

Any ideas for finding out why?

Thanks
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 6366 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!