Socket with sslStream and Client certificate

Lionel_R · July 28, 2011, 8:20am

Hello,

Is there anybody experienced with the sslStream.AuthenticateAsClient() method using a client certificate ? I try to authenticate a client with this certificate.

In fact I can connect to the server (clientSocket.Connect(serverEndPoint)) but when I use wrong certificates (rootCA and/or client) I can too. Which I think is not a consistent behavior.

So does the method work or am I wrong ?

Thanks for your help
Lionel

Code sample :


using (Socket clientSocket = new Socket(AddressFamily.InterNetwork,
                                                            SocketType.Stream,
                                                            ProtocolType.Tcp))
            {
                // Addressing
                IPAddress ipAddress = IPAddress.Parse(dottedServerIPAddress);
                IPEndPoint serverEndPoint = new IPEndPoint(ipAddress, port);

                // Connecting
                Debug.Print("Connecting to server " + serverEndPoint);
                clientSocket.Connect(serverEndPoint);
                Debug.Print("Connected to server");

                using (SslStream sslStream = new SslStream(clientSocket))
                {
                    X509Certificate rootCA = new X509Certificate(
                    Encoding.UTF8.GetBytes(@ "-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----"));

                    X509Certificate clientCert = new X509Certificate(
                   Encoding.UTF8.GetBytes(@ "-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----"));

                    sslStream.AuthenticateAsClient(
                        "server.com",
                        clientCert ,
                        new X509Certificate[] { rootCA },
                        SslVerification.CertificateRequired,
                        SslProtocols.Default
                    ); 
                }
            }

Mike · July 28, 2011, 9:32am

From the release notes for the latest GHI SDK:

[quote◦SSL works correctly. However, certification verification can fail.
][/quote]

Could this be related to the problem?

User_5 · July 28, 2011, 10:02am

Yes, that’s correct.

Lionel_R · July 29, 2011, 3:10am

Hello, thanks for your help.

We finally changed the technology to use.

But I would be interested to be informed about the evolution of this issue. Is there a research done about the reason of the problem ?

Lionel

Gus_Issa · July 29, 2011, 9:19am

This should be fixed in new coming NETMF 4.2 in later this year

Lionel_R · July 29, 2011, 9:26am

Ok, thanks for your answer.

Lionel