|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
VS2005 - X509 key not loaded correctly for FTPS server authentication ?authentication. I believe it is either not doing the handshake correctly, or else it does not like the way I loaded the server certificate. Let me paraphrase the salient portions of code to show what I am doing, and the resulting exception: Public SSLCertificate As X509Certificate SSLCertificate = New X509Certificate("D:\TEMP\MyPrivateKey.pfx", "myprivatekeyspassword") Private mTCPClient As TcpClient (client connection has been negotiated in clear text at this point - I ensure the socket is clear of all available data prior to attempting to negotiate) Private mSSLStream As SslStream mSSLStream = New SslStream(mTCPClient.GetStream) mSSLStream.AuthenticateAsServer(Certificate, False, SslProtocols.Ssl2 Or SslProtocols.Ssl3 Or SslProtocols.Tls, False) System.NotSupportedException: The server mode SSL must use a certificate with the associated private key. at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at ODP.NMServe.TCPClientSSL.NegotiateSSLServer(X509Certificate Certificate) in D:\ODP\Core\NetMover.NET\NMServe\TCPClientSSL.vb:line 94 Thereafter the TCPClient is no longer able to work in clear text CommandSessionThread: System.Net.Sockets.SocketException: A request to send or receive data was disallowed because the socket is not connected and (when sending on a datagram socket using a sendto call) no address was supplied at ODP.NMServe.CommandChannelSession.GetNextCommand(Int32 TimeoutMicroseconds) in D:\ODP\Core\NetMover.NET\NMServe\CommandChannelSession.vb:line 320 at ODP.NMServe.CommandChannelSession.CommandSessionThread() in D:\ODP\Core\NetMover.NET\NMServe\CommandChannelSession.vb:line 269 I am not as concerned about the second exception for the moment. I am using a freeware FTPS client called MOVEIT for the client side test. I don't know how well or completely it logs handshake negotiation failures, but the session with it looks like this: D:\TEMP>ftps -e:on dev1.mydomain.com 220 DEV1 NMServ NetMover Server (Version 3.0.0.0). 234 Security data exchange complete. > ftp: connect: Security handshake failed. Security handshake failed.ftp> The protocol is that the server sends 234 in clear text, as a response to the AUTH command, and it is after the 234 response that the socket is transformed to SSL. I believe this is the correct way to do it. I almost had the same thing working with the Mentalis public source project under VS2003. But with Mentalis, it saw the PFX file as a certificate store, and I had to do a FindCertificateByUsage call specifying "1.3.6.1.5.5.7.3.1" as the search criteria to actually get the X509 certificate in the PFX file. I really don't have a clue what this criteria string is about, but it is how they did it in their samples, and it seemed to work for me. I suspect my call: SSLCertificate = New X509Certificate("D:\TEMP\MyPrivateKey.pfx", "myprivatekeyspassword") is not doing what I think it does. Perhaps I should be loading an X509Store from the PFX file? Yet I don't see a way to do this from the X509Store methods. It is just not clear me what I need to do. With the beta, of course, there is little explanation, and there are of course ZERO examples at this point. Thanks to anyone for insight on this. - Lee Schannel debugging may help you discover more about what is actually going
wrong: http://support.microsoft.com/?id=260729 Joe K. Show quoteHide quote "Lee Gillie" <Lee @ odp dot com> wrote in message news:%23nnWo1ApFHA.736@tk2msftngp13.phx.gbl... >I have written an FTP service in VB.NET. Am attempting to add SSL > authentication. I believe it is either not doing the handshake correctly, > or > else it does not like the way I loaded the server certificate. Let me > paraphrase the salient portions of code to show what I am doing, and the > resulting exception: > > Public SSLCertificate As X509Certificate > SSLCertificate = New X509Certificate("D:\TEMP\MyPrivateKey.pfx", > "myprivatekeyspassword") > Private mTCPClient As TcpClient > (client connection has been negotiated in clear text at this point - I > ensure the socket is clear of all available data prior to attempting to > negotiate) > Private mSSLStream As SslStream > mSSLStream = New SslStream(mTCPClient.GetStream) > mSSLStream.AuthenticateAsServer(Certificate, False, SslProtocols.Ssl2 Or > SslProtocols.Ssl3 Or SslProtocols.Tls, False) > > System.NotSupportedException: The server mode SSL must use a certificate > with the associated private key. > at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, > Byte[] buffer, AsyncProtocolRequest asyncRequest) > at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult > lazyResult) > at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate > serverCertificate, Boolean clientCertificateRequired, SslProtocols > enabledSslProtocols, Boolean checkCertificateRevocation) > at ODP.NMServe.TCPClientSSL.NegotiateSSLServer(X509Certificate > Certificate) in D:\ODP\Core\NetMover.NET\NMServe\TCPClientSSL.vb:line 94 > > Thereafter the TCPClient is no longer able to work in clear text > CommandSessionThread: System.Net.Sockets.SocketException: A request to > send > or receive data was disallowed because the socket is not connected and > (when > sending on a datagram socket using a sendto call) no address was supplied > at ODP.NMServe.CommandChannelSession.GetNextCommand(Int32 > TimeoutMicroseconds) in > D:\ODP\Core\NetMover.NET\NMServe\CommandChannelSession.vb:line 320 > at ODP.NMServe.CommandChannelSession.CommandSessionThread() in > D:\ODP\Core\NetMover.NET\NMServe\CommandChannelSession.vb:line 269 > > I am not as concerned about the second exception for the moment. > > I am using a freeware FTPS client called MOVEIT for the client side test. > I > don't know how well or completely it logs handshake negotiation failures, > but the session with it looks like this: > D:\TEMP>ftps -e:on dev1.mydomain.com > 220 DEV1 NMServ NetMover Server (Version 3.0.0.0). > 234 Security data exchange complete. >> ftp: connect: Security handshake failed. > Security handshake failed. > ftp> > > The protocol is that the server sends 234 in clear text, as a response to > the AUTH command, and it is after the 234 response that the socket is > transformed to SSL. I believe this is the correct way to do it. I almost > had > the same thing working with the Mentalis public source project under > VS2003. > But with Mentalis, it saw the PFX file as a certificate store, and I had > to > do a FindCertificateByUsage call specifying "1.3.6.1.5.5.7.3.1" as the > search criteria to actually get the X509 certificate in the PFX file. I > really don't have a clue what this criteria string is about, but it is how > they did it in their samples, and it seemed to work for me. I suspect my > call: > SSLCertificate = New X509Certificate("D:\TEMP\MyPrivateKey.pfx", > "myprivatekeyspassword") > is not doing what I think it does. Perhaps I should be loading an > X509Store > from the PFX file? Yet I don't see a way to do this from the X509Store > methods. It is just not clear me what I need to do. With the beta, of > course, there is little explanation, and there are of course ZERO examples > at this point. > > Thanks to anyone for insight on this. > > - Lee > > Thanks Joe. I resolved this with help...
I needed to use X509Certificate2 rather than X509Certificate. The one I had used is apparently the for if you don't want it to work ?! But I will keep the SChannel tip in mind for the future. Best regards - Lee Gillie Joe Kaplan (MVP - ADSI) wrote: Show quoteHide quote > Schannel debugging may help you discover more about what is actually going > wrong: > > http://support.microsoft.com/?id=260729 > > Joe K. > > "Lee Gillie" <Lee @ odp dot com> wrote in message > news:%23nnWo1ApFHA.736@tk2msftngp13.phx.gbl... > >>I have written an FTP service in VB.NET. Am attempting to add SSL >>authentication. I believe it is either not doing the handshake correctly, >>or >>else it does not like the way I loaded the server certificate. Let me >>paraphrase the salient portions of code to show what I am doing, and the >>resulting exception: >> >>Public SSLCertificate As X509Certificate >>SSLCertificate = New X509Certificate("D:\TEMP\MyPrivateKey.pfx", >>"myprivatekeyspassword") >>-------------------------------<snip> 
Other interesting topics
Sandboxing AppDomain
can you put a strong name assembly in a role? Can't determine if a file exists 'System.Security.SecurityException' when running .exe file from ot Strong Name broken? windows forms UserControl compiled with beta 2 doesn't work with IE CAS Permission Sets CryptGenKey & CryptImportKey slow in certain situations Forms Authentication - how to proceed when valid login? Does preJIT protect the assemblies? |
|||||||||||||||||||||||
