|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
sslstream and certificatesI try creating a sslStream from a regular networkstream as folows Socket clientSocket = serverSocket.EndAccept(result); clientSocket.Blocking = true; Stream clientStream = new NetworkStream(clientSocket); SslStream sslStream = new SslStream(clientStream); X509Certificate cert = X509Certificate.CreateFromCertFile(@"c:\mycertificate.crt"); sslStream.AuthenticateAsServer(cert); The call to AuthenticateAsServer fails with "The server mode SSL must use a certificate with the associated private key" What exactly should I put into that message? It needs another kind of certificate with the private key embedded? I do have a keyfile on the side with one of my certificates, but I can not specify it anywhere. Another certificate , I am testing with, is from rapidSSL a CA so I assume it should be "right". Has someone else tried setting up a sslStream as server? Should i somehow put my private key into my certificate? I read somewhere that you could concatenate the two files, but that didnt resolve the problem. You need to install the private key into the CAPI keystore. If you have a
p12 or pfx file with the certificate and private key, you can use that to import them into the key store. Windows doesn't let you read private keys directly off the file system like that. It wants to use the CAPI store. When you specify a certificate to use, it simply uses that as a key to look up that certificate in the CAPI store and find the associated private key. HTH, Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:u%231x$5fYFHA.3032@TK2MSFTNGP10.phx.gbl... > Using net 2.0 > > I try creating a sslStream from a regular networkstream as folows > > Socket clientSocket = serverSocket.EndAccept(result); > clientSocket.Blocking = true; > Stream clientStream = new NetworkStream(clientSocket); > SslStream sslStream = new SslStream(clientStream); > X509Certificate cert = > X509Certificate.CreateFromCertFile(@"c:\mycertificate.crt"); > sslStream.AuthenticateAsServer(cert); > > The call to AuthenticateAsServer fails with "The server mode SSL must use > a > certificate with the associated private key" > > What exactly should I put into that message? It needs another kind of > certificate with the private key embedded? > I do have a keyfile on the side with one of my certificates, but I can not > specify it anywhere. > Another certificate , I am testing with, is from rapidSSL a CA so I assume > it should be "right". > > Has someone else tried setting up a sslStream as server? > > Should i somehow put my private key into my certificate? I read somewhere > that you could concatenate the two files, but that didnt resolve the > problem. > > > You need to install the private key into the CAPI keystore. If you have a I have a *.crt file and one called *.key> p12 or pfx file with the certificate and private key, you can use that to > import them into the key store. The keyfile starts with -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,48DCE18A11B80350 and the crt starts with -----BEGIN CERTIFICATE----- Perhaps someone can tell me if those are usable and how to import them. I can install the crt file, but I can not specify the private key and it doesnt seem to load it automatically simply because there is a key file at same location. > Windows doesn't let you read private keys directly off the file system Ok, that was my first mistake. I thought that by giving a filename, the > like that. It wants to use the CAPI store. When you specify a > certificate to use, it simply uses that as a key to look up that > certificate in the CAPI store and find the associated private key. certificate would be loaded from there.. If the certificates, that I have, are invalid for my purpose then how can I easily get a usable certificate? Thanks for your response. Have been fighting with this for a while now :-/ I'm sure the certificates are valid. We just need to get them in the right
format so you can get the private key installed. What I would suggest is that you start another thread, possibly cross posting to microsoft.public.security.crypto asking how to install a certficate and private key given the key in a separate .key file. There is probably a utility to do this or merge the two files into a p12 that you can easily import. I just don't know. Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:uwnDOGhYFHA.4024@TK2MSFTNGP10.phx.gbl... >> You need to install the private key into the CAPI keystore. If you have >> a p12 or pfx file with the certificate and private key, you can use that >> to import them into the key store. > > I have a *.crt file and one called *.key > > The keyfile starts with > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,48DCE18A11B80350 > > and the crt starts with > -----BEGIN CERTIFICATE----- > > Perhaps someone can tell me if those are usable and how to import them. I > can install the crt file, but I can not specify the private key and it > doesnt seem to load it automatically simply because there is a key file at > same location. > >> Windows doesn't let you read private keys directly off the file system >> like that. It wants to use the CAPI store. When you specify a >> certificate to use, it simply uses that as a key to look up that >> certificate in the CAPI store and find the associated private key. > > Ok, that was my first mistake. I thought that by giving a filename, the > certificate would be loaded from there.. > > If the certificates, that I have, are invalid for my purpose then how can > I easily get a usable certificate? > Thanks for your response. Have been fighting with this for a while now :-/ > Hello Jakob,
i described the procedure here: http://www.leastprivilege.com/PermaLink.aspx?guid=f34680fd-a58d-43a7-ba6d-2d813814ee73 and here: http://www.leastprivilege.com/PermaLink.aspx?guid=6b5d5471-0710-41d7-891b-308afa959a6e --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Using net 2.0 > > I try creating a sslStream from a regular networkstream as folows > > Socket clientSocket = serverSocket.EndAccept(result); > clientSocket.Blocking = true; > Stream clientStream = new NetworkStream(clientSocket); > SslStream sslStream = new SslStream(clientStream); > X509Certificate cert = > X509Certificate.CreateFromCertFile(@"c:\mycertificate.crt"); > sslStream.AuthenticateAsServer(cert); > The call to AuthenticateAsServer fails with "The server mode SSL must > use a certificate with the associated private key" > > What exactly should I put into that message? It needs another kind of > certificate with the private key embedded? > I do have a keyfile on the side with one of my certificates, but I can > not > specify it anywhere. > Another certificate , I am testing with, is from rapidSSL a CA so I > assume > it should be "right". > Has someone else tried setting up a sslStream as server? > > Should i somehow put my private key into my certificate? I read > somewhere that you could concatenate the two files, but that didnt > resolve the problem. > > i described the procedure It looks like that is all I need. I will try it out first thing tomorrow > > here: > http://www.leastprivilege.com/PermaLink.aspx?guid=f34680fd-a58d-43a7-ba6d-2d813814ee73 > and here: > http://www.leastprivilege.com/PermaLink.aspx?guid=6b5d5471-0710-41d7-891b-308afa959a6e :-)) Thanks a lot to you and Joe Kaplan for your interest in the matter.> It looks like that is all I need. I will try it out first thing tomorrow Ok, now i tried it, and it works. I can make a server and client and have them talk encrypted. I wanted ssl in order to let a web browser connect through https to my application which aced as a heet server. Now a browser can connect, warn me about the encryption, display the certiciate and aparently negotiate ssl in place. It seems that data sent from the browser to me is getting lost. The sslstream's reader allways show an empty stream, though I would expect the browser to send a GET command. Since I can make a client and server pair which can communicate, the problem seems to be related to the browser and .net ssl. Perhaps there are some incompatabilities related to that specific setup, that I don't know about? This is something I have no idea on. Sorry.
It sounds like you are trying to implement your own web server. Wouldn't it be easier to implement this using ASP.NET instead (write a custom IHttpHandler or something)? Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:O2Y9DosYFHA.3164@TK2MSFTNGP09.phx.gbl... >> It looks like that is all I need. I will try it out first thing tomorrow > > Ok, now i tried it, and it works. I can make a server and client and have > them talk encrypted. > > I wanted ssl in order to let a web browser connect through https to my > application which aced as a heet server. > Now a browser can connect, warn me about the encryption, display the > certiciate and aparently negotiate ssl in place. > It seems that data sent from the browser to me is getting lost. The > sslstream's reader allways show an empty stream, though I would expect the > browser to send a GET command. > > Since I can make a client and server pair which can communicate, the > problem seems to be related to the browser and .net ssl. Perhaps there are > some incompatabilities related to that specific setup, that I don't know > about? > > > This is something I have no idea on. Sorry. No, I am sorry. It seems the problem was somewhere else. With a minimal test, I could get data through. I will just have to debug a bit more. > It sounds like you are trying to implement your own web server. Wouldn't Perhaps it would. I am still fairly new to .net, så there are a lot of > it be easier to implement this using ASP.NET instead (write a custom > IHttpHandler or something)? clases which I don't know about. It is not a webserver as such though. It is a system which provides a web interface as well as one with winforms. Asp is running from a webserver is it not? Can I use bits and pieces of asp in a winforms application to create a basic http-server? I guess I'm just not sure of what exactly it is you are doing. If your goal
is to have a WinForms app communicate with a web server programmatically, ..NET includes a System.Net.HttpWebRequest class that you can use for doing programmatic HTTP protocol stuff, including SSL. If your goal is to implement a custom HTTP Server, then it seems like it would be easiest to using the built in model in ASP.NET and use its extensibility mechanisms to implement your own HTTP handlers. However, if you really want raw stream based data that is SSL encrypted, then SslStream is probably the way to go. It really depends on the problem you are trying to solve and the level of abstraction you want. Glad you are making progress anyway. Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:%23086amtYFHA.132@TK2MSFTNGP10.phx.gbl... >> This is something I have no idea on. Sorry. > > No, I am sorry. It seems the problem was somewhere else. With a minimal > test, I could get data through. I will just have to debug a bit more. > >> It sounds like you are trying to implement your own web server. Wouldn't >> it be easier to implement this using ASP.NET instead (write a custom >> IHttpHandler or something)? > > Perhaps it would. I am still fairly new to .net, så there are a lot of > clases which I don't know about. It is not a webserver as such though. It > is a system which provides a web interface as well as one with winforms. > > Asp is running from a webserver is it not? Can I use bits and pieces of > asp in a winforms application to create a basic http-server? > >I guess I'm just not sure of what exactly it is you are doing. If your I have an application which is a normal winforms app. It acts as a >goal is to have a WinForms app communicate with a web server >programmatically, .NET includes a System.Net.HttpWebRequest class that you >can use for doing programmatic HTTP protocol stuff, including SSL. > If your goal is to implement a custom HTTP Server, then it seems like it > would be easiest to using the built in model in ASP.NET and use its > extensibility mechanisms to implement your own HTTP handlers. > > However, if you really want raw stream based data that is SSL encrypted, > then SslStream is probably the way to go. It really depends on the > problem you are trying to solve and the level of abstraction you want. backupserver and for that I want it to communitate with clients (that I also create) in a secure way. Ssl seems fine. I also want that server app to service users through a browser interface, so they can perform simple maintanence and status checks from anywhere without the actual backup client. That is also comunication which should be conficential, so https seems lige a good choice. Currently i have a tcplistener accepting connections on port 80, parsing http requests and sending back html formatede text and graphics. I do the http and html myself. Are you saying that I can grab a few classes from asp.net and use them here without needing some webserver to run it all? I guess that makes sence. The classes in asp.net which can read a http header and generate one, should work no matter where you run them. > Glad you are making progress anyway. Thanks. *singing* We all get byyyyy with a little help from our groups :-)Actually, I think for what you are doing, it probably makes sense. You
would need to be using IIS to host ASP.NET which it doesn't sound like you want to do. I believe there is another model though that might be easier than using raw TCP. In .NET 2.0, I believe there is a new HttpListener class that interfaces directly with HTTP.SYS. This only works on Win2K3 and XP SP2 so far (as they are the only ones with the required driver), but it might give you a higher level of abstraction. I'm way way out of my depth now, but I've heard others discussing this new feature as a way to host your own web services and other HTTP services in your own process without need ASP.NET. Might be something worth checking out... Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:%23oZPgZuYFHA.2508@TK2MSFTNGP15.phx.gbl... > >I guess I'm just not sure of what exactly it is you are doing. If your > >goal is to have a WinForms app communicate with a web server > >programmatically, .NET includes a System.Net.HttpWebRequest class that > >you can use for doing programmatic HTTP protocol stuff, including SSL. > >> If your goal is to implement a custom HTTP Server, then it seems like it >> would be easiest to using the built in model in ASP.NET and use its >> extensibility mechanisms to implement your own HTTP handlers. >> >> However, if you really want raw stream based data that is SSL encrypted, >> then SslStream is probably the way to go. It really depends on the >> problem you are trying to solve and the level of abstraction you want. > > I have an application which is a normal winforms app. It acts as a > backupserver and for that I want it to communitate with clients (that I > also create) in a secure way. Ssl seems fine. I also want that server app > to service users through a browser interface, so they can perform simple > maintanence and status checks from anywhere without the actual backup > client. > That is also comunication which should be conficential, so https seems > lige a good choice. > > Currently i have a tcplistener accepting connections on port 80, parsing > http requests and sending back html formatede text and graphics. I do the > http and html myself. > > Are you saying that I can grab a few classes from asp.net and use them > here without needing some webserver to run it all? I guess that makes > sence. The classes in asp.net which can read a http header and generate > one, should work no matter where you run them. > >> Glad you are making progress anyway. > > Thanks. *singing* We all get byyyyy with a little help from our groups > :-) > > Actually, I think for what you are doing, it probably makes sense. You Nah, that would not really be an option.> would need to be using IIS to host ASP.NET which it doesn't sound like you > want to do. > I believe there is another model though that might be easier than using That certainly sounds interesting. I enjoy reinventing the wheel as much as > raw TCP. In .NET 2.0, I believe there is a new HttpListener class that > interfaces directly with HTTP.SYS. This only works on Win2K3 and XP SP2 > so far (as they are the only ones with the required driver), but it might > give you a higher level of abstraction. the next guy, but for the final product it is nice to have less of your own code to debug :-) Thanks for the tip..... hm.. is a tip in english the money you pay at restaurants and so on, or are they allså pointers as in danish? Hmm...oh well.. thanks anyway :-) Your English is very good. It is both. :)
Joe K. Show quoteHide quote "Jakob Nielsen" <a@b.c> wrote in message news:%239dKTkvYFHA.3280@TK2MSFTNGP09.phx.gbl... > Thanks for the tip..... hm.. is a tip in english the money you pay at > restaurants and so on, or are they allså pointers as in danish? Hmm...oh > well.. thanks anyway :-) > 
Other interesting topics
Appl. Security Problems
Impersonation through HttpModule Security exception related to network hotmail IIS / SQL Server impersonation How many keys? Data security/filtering on attribute values Why CAS doesn't stop things in ASP.NET apps Migrating users to asp.net 2.0 from CSK and setting passwords problem:referenced assembly "XPCommonControls(a free third party component)" has no strongName. |
|||||||||||||||||||||||
