Would you plan to implement IceSSL in C#?

zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
I found there is a C# SSL library, would you plan to implement IceSSL for C#?


http://www.mentalis.org/soft/projects/ssocket/
«1

Comments

  • marcmarc FloridaMarc LaukienOrganization: ZeroC, Inc.Project: The Internet Communications EngineAdministrators, ZeroC Staff ZeroC Staff
    At present, there is no demand from any of our commercial customer for IceSSL for C#. If you have a commercial need for IceSSL for C#, please contact us at [email protected].
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    .NET 2.0 has SslStream
    zhangzq71 wrote:
    I found there is a C# SSL library, would you plan to implement IceSSL for C#?


    http://www.mentalis.org/soft/projects/ssocket/

    I have done my own IceSSL implementation using .NET 2.0,
    which includes SSL functionality. It is the version that comes
    with Visual Studio 2005 Beta 2.

    Seems to work for me, but no serious testing done so far.

    If you like (and have VS 2005 Beta2), I can e-mail it to you.
    It also requires a few changes to Ice itself to compile under .NET 2.0
    and to fix a bug with plugin loading.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    Do you mean .net 2.0 comes with SSL implemenation?

    I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.

    Thank you very much!

    email: [email protected]


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    Do you mean .net 2.0 comes with SSL implemenation?

    I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.

    Thank you very much!

    email: [email protected]


    Regards,
    ZhangZQ

    Yes, .NET 2.0 comes with an SslStream class. It only works with blocking
    sockets, but this did not seem to be a problem with the little testing I did.

    I am not sure if you can get the *Beta 2* version of .NET 2.0 SDK
    without VS 2005, but you can try. One should be able to compile
    with it. Give me a little time to prepare the fixes you need to do
    to Ice itself to compile under .NET 2.0 and to accept plugins.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    I found the .net framework 2.0 SDK can be downloaded from MSDN. After your IceSSL C# is ok, please send me a copy, thank you very much!


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    I found the .net framework 2.0 SDK can be downloaded from MSDN. After your IceSSL C# is ok, please send me a copy, thank you very much!


    Regards,
    ZhangZQ

    I sent you a zip file. Please report back on how it works for you.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    Thanks, but I didn't get your code? Is it very large?


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    Thanks, but I didn't get your code? Is it very large?


    Regards,
    ZhangZQ

    Well, yes, I pre-built everything for you, so the attachment
    is about 5MB. Is that too large for you?

    If yes, I can either ftp it if you like, or remove all binaries and
    re-send a smaller file, in which case you would have to configure
    everything for building, but that is not so bad, as with .NET 2.0
    one can use msbuild.exe to build VS project files without having
    VS installed.

    Just tell me what you prefer,

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    I got your IceCS for .net 2.0. Thank you very much for your great effort!

    I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
    Succeeded

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
    Error: There are more than one matching certificate in the issuer's root cert store
    Failed

    If I run the program ignoring the above errors, got
    server.exe
    Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
    at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
    at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
    at IceInternal.Instance.finishSetup(String[]& args)
    at Ice.CommunicatorI.finishSetup(String[]& args)
    at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
    at Server.Main(String[] args)

    so I have not successfully tested the SSL part of your Ice for CS.


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    I got your IceCS for .net 2.0. Thank you very much for your great effort!

    I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
    Succeeded

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
    Error: There are more than one matching certificate in the issuer's root cert store
    Failed

    It is hard to diagnose what is going on from here.
    You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?
    zhangzq71 wrote:
    If I run the program ignoring the above errors, got
    server.exe
    Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
    at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
    at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
    at IceInternal.Instance.finishSetup(String[]& args)
    at Ice.CommunicatorI.finishSetup(String[]& args)
    at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
    at Server.Main(String[] args)

    so I have not successfully tested the SSL part of your Ice for CS.

    If config.xml file specifies a certificate serial number then it must match an existing certificate. However, the existing serial number in the hello demo's config.xml file will not match anything you have installed, therefore the plugin initialization will fail.

    To make it easier for you, remove the server certificate serial number from config.xml. If there are no serial numbers or "subject names" specified, then the IceSSL plugin will select the first certificate it finds in the certificate store identified by the CertificateStoreLocation and CertificateStoreName elements.

    So, all you have to make sure of then is that there is at least one certificate in the client store and server store.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    kwaclaw wrote:
    It is hard to diagnose what is going on from here.
    You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?

    I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.

    How about to implement the IceSSLcs independ to OS service?


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.
    From what you said it appears that generating the CA was successful, but generating the server certificate reported multiple CAs with the same name. Maybe you installed the CA twice, which would give you two CAs with the same name.

    I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.
    zhangzq71 wrote:
    How about to implement the IceSSLcs independ to OS service?

    It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.

    However, I will think about how to add a feature to load a file-based certificate.


    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    kwaclaw wrote:
    I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.
    I have to find the installation disk to install the CA snap-in because I can't find that snap-in in my control panel.

    kwaclaw wrote:
    It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.

    However, I will think about how to add a feature to load a file-based certificate.
    I am glad to hear to, what I really want is to use MONO in Linux.


    For your previous email, How to generate the CertificateSerialNumber ?



    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    I have to find the installation disk to install the CA snap-in because I can't find that snap-in in my control panel.

    It should be there. After opening MMC (type mmc.exe on command line),
    go to the File menu and select Add/Remove snap-in. Then when a dialog opens, click on the Add button.

    zhangzq71 wrote:
    I am glad to hear to, what I really want is to use MONO in Linux.

    For your previous email, How to generate the CertificateSerialNumber ?

    I think there is an option in makecert, but normally a GUID-like number is auto-generated.


    Btw, I remember I already implemented a way to delay configuration to later and load a certificate file.

    Here are the steps for the HelloS (server) project:

    1) Add the System.Security assembly to the project references.

    2) In file Server.cs, add these to lines to the top:
    using System.Security.Authentication;
    using System.Security.Cryptography.X509Certificates;
    
    then add code like in this example to the Main function:
    (the code between the // lines)
    try
    {
        Ice.Properties properties = Ice.Util.createProperties();
        properties.load("config");
        communicator = Ice.Util.initializeWithProperties(ref args, properties);
        //
        string certFile = @"...\...\DemoSoft.pfx";
        X509Certificate2 cert = new X509Certificate2(certFile, "password");
        Ice.Ssl.ServerContext srvContext = 
          new Ice.Ssl.ServerContext(SslProtocols.Tls, false, false, false, cert);
        Ice.Ssl.PluginI plugin =
          (Ice.Ssl.PluginI)communicator.getPluginManager().getPlugin("IceSslStream");
        plugin.ServerContext = srvContext;
        //
        status = run(args, communicator);
    }
    

    but currently this won't work because there seems to be a bug in the Communicator implementation: pluginManager returns null.
    You can fix this by replacing the code for getPluginManager() in the CommunicatorI.cs file in Ice like this:
    public PluginManager getPluginManager()
    {
        return _instance.pluginManager();
    }
    

    with this fix it worked for me.

    Hope that helps,

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    I added the Cert snap-addin to mmc, after running makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine, I could see there is a new "IAA" item in the console window. But still failed to create the Server or Client Cert.

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr Lo
    calMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-
    sy 12 -in "IAA" -is root -ir localMachine
    Error: Can't create the key of the subject ('006d86f9-b2fa-4fe3-a7c5-691ff97244d3')
    Failed

    Is it possible to create Cert by openssl and then install them in Windows ?


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    I added the Cert snap-addin to mmc, after running makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine, I could see there is a new "IAA" item in the console window. But still failed to create the Server or Client Cert.

    E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr Lo
    calMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-
    sy 12 -in "IAA" -is root -ir localMachine
    Error: Can't create the key of the subject ('006d86f9-b2fa-4fe3-a7c5-691ff97244d3')
    Failed

    I just got the same errror with your command line. But then I inserted a space in the command line just before '-sy 12', and it worked. Sorry if my instructions had a typo.
    zhangzq71 wrote:
    Is it possible to create Cert by openssl and then install them in Windows

    It should be possible. Actually, it should be as easy as double-clicking on the .pfx file and following the steps. Or, when the mmc is open, just right click on one of the folders (Current User/Personal or Local Computer/Personal) and select All Tasks -> Import.

    Btw, the code to load the certificate from a file into the plugin works for me after fixing the getPluginManager() bug. However, there is one step I forgot:
    In order to prevent the exceptions caused by loading the config.xml file, remove the config.xml item from the Ice config file (it is the last item on the line for the IceSSL plugin).

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    Thank you for your new IceSSL CS.

    Finally, the IceSSL CS works well after successfully created the certs when both server and client running in Windows.

    Now I tried to check the connection between Win and Linux,
    1. I import the cacert.pem in $ICE_ROOT/certs to Win
    2. I import the s_rsa1024_pub.pem in $ICE_ROOT/cert to win
    3. I tried to import s_rsa1024_priv.pem, but failed.
    4. Modified the config.xml, replace the CertificateSerialNumber value
    5. run the server in Win
    6. run client in Linux

    got these message from server
    C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
    warning: connection exception:
    Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
    se a certificate with the associated private key.
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000
    warning: connection exception:
    Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
    se a certificate with the associated private key.
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000


    Actually I don't understand SSL well, can you give me the instruction to do this?


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    Thank you for your new IceSSL CS.

    Finally, the IceSSL CS works well after successfully created the certs when both server and client running in Windows.

    Now I tried to check the connection between Win and Linux,
    1. I import the cacert.pem in $ICE_ROOT/certs to Win
    2. I import the s_rsa1024_pub.pem in $ICE_ROOT/cert to win
    3. I tried to import s_rsa1024_priv.pem, but failed.
    4. Modified the config.xml, replace the CertificateSerialNumber value
    5. run the server in Win
    6. run client in Linux

    How did you import this? mmc on my system does not accept this file format.
    I think to import a certificate into the Windows store you need to convert it to the PKCS#12 format. I googled and found this use for OpenSSL:

    openssl pkcs12 -export -in s_rsa1024_pub.pem -inkey s_rsa1024_priv.pem -out s_rsa1024.p12

    I was able to import this certificate. However, I was not able to import the CA certificate (cacert.pem).
    zhangzq71 wrote:
    got these message from server
    C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
    warning: connection exception:
    Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
    se a certificate with the associated private key.
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000
    warning: connection exception:
    Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
    se a certificate with the associated private key.
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000


    Actually I don't understand SSL well, can you give me the instruction to do this?


    Regards,
    ZhangZQ


    I think the server certificate must contain the private key if it is used for signing, proving identity. Only for distribution you would not include the private key. So, you get the error because your private key could not be imported.

    Karl
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    kwaclaw wrote:
    How did you import this? mmc on my system does not accept this file format.
    I think to import a certificate into the Windows store you need to convert it to the PKCS#12 format. I googled and found this use for OpenSSL:

    openssl pkcs12 -export -in s_rsa1024_pub.pem -inkey s_rsa1024_priv.pem -out s_rsa1024.p12

    I was able to import this certificate. However, I was not able to import the CA certificate (cacert.pem).

    Actually, I was after some more attempts (reading the makecerts script in the Ice for Java distribution helped). You need to do this:

    openssl x509 -in cacert.pem -outform DER -out cacert.der

    And then import the cacert.der file. mmc will not show it as a supported file type, but it will work anyway.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    I directly imported the .pem file to Windows CA snap-in, and it was successful, since I could see the 2 new 'Ice Server' and 'Your Certificate Authority' items were added to the snap-in.

    Now I removed that 2 cert, and imported them follow your instruction, and I can see that 2 new items, and I tried to run server with the CertificateSerialNumber set to "". Then run client in Linux, got these msg from Linux,

    [[email protected] hello]$ ./client
    SslClientTransceiver.cpp:306: IceSSL::CertificateVerificationException:
    Unable to get issuer certificate locally.
    1 - Thread ID: 3086848672
    1 - Error: 336134278
    1 - Message: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    1 - Location: s3_clnt.c, 843


    and got these msg from Win

    C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
    warning: connection exception:
    Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
    nticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exce
    ption: The certificate chain was issued by an authority that is not trusted
    --- End of inner exception stack trace ---
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000
    warning: connection exception:
    Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
    nticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exce
    ption: The certificate chain was issued by an authority that is not trusted
    --- End of inner exception stack trace ---
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
    clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    --- End of inner exception stack trace ---
    at Ice.Ssl.Acceptor.accept(Int32 timeout)
    at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
    192.168.0.199:10000

    I could not understand what is the problem.

    Thank you very much for your help!



    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    I directly imported the .pem file to Windows CA snap-in, and it was successful, since I could see the 2 new 'Ice Server' and 'Your Certificate Authority' items were added to the snap-in.

    Now I removed that 2 cert, and imported them follow your instruction, and I can see that 2 new items, and I tried to run server with the CertificateSerialNumber set to "". Then run client in Linux, got these msg from Linux,

    [[email protected] hello]$ ./client
    SslClientTransceiver.cpp:306: IceSSL::CertificateVerificationException:
    Unable to get issuer certificate locally.
    1 - Thread ID: 3086848672
    1 - Error: 336134278
    1 - Message: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    1 - Location: s3_clnt.c, 843

    This looks to me as if one the Linux side the CA certificate (the issuer for the server certificate) is not installed or made available to IceSSL. Or it is different from the one on the server.

    Both, the client and server system must have the CA certificates available so that they can check the certificates against them.

    Does it work between linux server and Linux client?

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    kwaclaw wrote:
    This looks to me as if one the Linux side the CA certificate (the issuer for the server certificate) is not installed or made available to IceSSL. Or it is different from the one on the server.
    How to made the server cert avaiable to IceSSL, I've imported both cacert, and s_rsa to Win CA service, and I can see them in the CA snap-in.

    kwaclaw wrote:
    Does it work between linux server and Linux client?
    Yes, the Ice-2.1.2 hello demo program(not the C#, but the C++ version) can work in Linux and Win.


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    How to made the server cert avaiable to IceSSL, I've imported both cacert, and s_rsa to Win CA service, and I can see them in the CA snap-in.
    My point was that it is not available on *Linux*. Or maybe the CA certificates on Windows and Linux are not the same?
    zhangzq71 wrote:
    Yes, the Ice-2.1.2 hello demo program(not the C#, but the C++ version) can work in Linux and Win.

    Does it work when the (C#) client is on Windows and the (C++) Server runs on Linux?

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    kwaclaw wrote:
    My point was that it is not available on *Linux*. Or maybe the CA certificates on Windows and Linux are not the same?
    I imported the cacert and s_rsa.pem from the $ICE_ROOT/certs of the Linux pc, and run the client from $ICE_ROOT/demo/Ice/hello, so I think they are the same, right?

    kwaclaw wrote:
    Does it work when the (C#) client is on Windows and the (C++) Server runs on Linux?
    Here is the result for this test, before the test I've imported the client certs to Windows.
    1. C# client on Window
    C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>client
    Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
    nticationException: The remote certificate is invalid according to the validation procedure.
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
    tocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollectio
    n clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
    at Ice.Ssl.Connector.connect(Int32 timeout)
    --- End of inner exception stack trace ---
    at IceInternal.ProxyFactory.checkRetryAfterException(LocalException ex, Reference ref, Int32 cnt)

    at Ice.ObjectPrxHelperBase.__handleException(LocalException ex, Int32 cnt)
    at Ice.ObjectPrxHelperBase.ice_isA(String __id, Context __context)
    at Ice.ObjectPrxHelperBase.ice_isA(String __id)
    at Demo.HelloPrxHelper.checkedCast(ObjectPrx b)
    at Client.run(String[] args, Communicator communicator)
    at Client.Main(String[] args)

    2. the Linux server
    [[email protected] hello]$ ./server
    warning: connection exception:
    SslTransceiver.cpp:269: Ice::ConnectionLostException:
    connection lost: Connection reset by peer
    local address = 192.168.0.1:10000
    remote address = 192.168.0.199:1508
    warning: connection exception:
    SslTransceiver.cpp:269: Ice::ConnectionLostException:
    connection lost: Connection reset by peer
    local address = 192.168.0.1:10000
    remote address = 192.168.0.199:1507


    BTW, can you tell me how to generate the cert in s_rsa1024.pem format that contains the cert detail information in header? Thanks!


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    I imported the cacert and s_rsa.pem from the $ICE_ROOT/certs of the Linux pc, and run the client from $ICE_ROOT/demo/Ice/hello, so I think they are the same, right?

    So, you used the exact same .pem files for both Windows and Linux?
    And they work when client & server are both on the same OS,
    but not when they are on different platforms?
    zhangzq71 wrote:
    BTW, can you tell me how to generate the cert in s_rsa1024.pem format that contains the cert detail information in header? Thanks!

    Actually, I have never created a .pem certificate.
    I am sure there is some OpenSSL documentation that explains it.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    kwaclaw wrote:
    So, you used the exact same .pem files for both Windows and Linux?
    And they work when client & server are both on the same OS,
    but not when they are on different platforms?
    Here is my new test result:
    Your C# IceSSL client can successfully connect to Linux server(Ice-2.1.2), but failed on your C# IceSSL as server, then both your C# IceSSL client and Linux client are both failed.

    Please notice that I've specified the ServerName="Ice Server" in the config.xml in current testing. I don't know how to specify the cert will be used for your C# IceSSL server, and I think that is the error.


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Here is my new test result:
    Your C# IceSSL client can successfully connect to Linux server(Ice-2.1.2), but failed on your C# IceSSL as server, then both your C# IceSSL client and Linux client are both failed.

    Please notice that I've specified the ServerName="Ice Server" in the config.xml in current testing. I don't know how to specify the cert will be used for your C# IceSSL server, and I think that is the error.


    Regards,
    ZhangZQ

    To specify the server certificate, you must indicate the certificate store and location (for example: "LocalMachine" and "My") as well as the serial number in the config.xml server settings.

    When you open up the MMC snap-in, LocalMachine corresponds to the "Local Computer , and "My" corresponds to the "Personal" folder under it. That is where your server certificate should be. Then, open the certificate and get the serial number, and enter it into config.xml for the server settings.

    Make sure the server certificate includes the private key.

    Hope that helps,

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    Thank you very much! Finally your C# IceSSL works correctly.

    The server cert is specified by
    1. CertificateStoreLocation="CurrentUser"
    2. CertificateStoreName="My"
    3. CertificateSerialNumber="01"

    The CertificateStoreLocation="CurrentUser" was set to "LocalMachine" before.

    If you have more improvment please let me know, thank you!


    Regards,
    ZhangZQ
  • kwaclawkwaclaw Oshawa, CanadaKarl WaclawekOrganization: PersonalMember
    zhangzq71 wrote:
    Karl,

    Thank you very much! Finally your C# IceSSL works correctly.

    The server cert is specified by
    1. CertificateStoreLocation="CurrentUser"
    2. CertificateStoreName="My"
    3. CertificateSerialNumber="01"

    The CertificateStoreLocation="CurrentUser" was set to "LocalMachine" before.

    I see - you installed it in a different certificate store.
    Yes, the details sometimes get you. :-)
    zhangzq71 wrote:
    If you have more improvment please let me know, thank you!

    I made a minor modification like this:
    The plugin will not throw an exception anymore if it cannot find any certificates specified in config.xml, but it will log that as an error using the Ice.Logger facility.

    So, the plugin will load anyway, and you can use the code I posted to see if the certificates were loaded, and if not, load a certificate from a file.

    If you want I can send you the modified package.

    Karl
  • zhangzq71zhangzq71 ZhangZQOrganization: WanYiProject: TestMember ✭✭
    Karl,

    Yes, I want you new package.

    Do you mean the new package can load the cert from both Windows Cert Store and Cert File?


    Regards,
    ZhangZQ
Sign In or Register to comment.