Certificate validation on remote computer

tkriegertkrieger Thomas KriegerOrganization: Analytic Pipe GmbHProject: BISSMember
Hello,

i have a problem regarding to the certificate validation inside IceSSL. I created my own certificates with the examples inside the IceSSL Documentation. If i try now to connect to an service (when client and server on same pc) it connect successfull. If i deploy the client on a remote pc and make the same steps i got an security exception:

The remote certificate is invalid according to the validation procedure.

I use Ice 3.1.1.
On Client Side i set the param:

Ice.Plugin.IceSSL = icesslcs.dll:IceSSL.PluginFactory
Ice.ThreadPerConnection=1 (in cause of C# 2.0)
IceSSL.Password = password
IceSSL.CertAuthFile = cert_path
IceSSL.CertFile = ca_path

On Server Side conf looks like:

Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
IceSSL.DefaultDir=ca_root_path
IceSSL.CertFile=server_key.p12
IceSSL.Password=password
IceSSL.ImportCert.LocalMachine.AuthRoot=ca_cert.pem
Ice.ThreadPerConnection=1

Hope someone can give me a hint whats exactly wrong here!

Best Regards

Thomas Krieger

Comments

  • matthewmatthew NL, CanadaMatthew NewhookOrganization: ZeroC, Inc.Project: Internet Communications EngineMember ✭✭✭
    Who is rejecting the connection? The client is rejecting the server, or the server is booting the client? Did you install the correct certificates on the client host? I recommend enabling some of the SSL tracing to determine what is occurring during the connection process. You can see the Ice manual for details on what tracing is exactly available.
  • tkriegertkrieger Thomas KriegerOrganization: Analytic Pipe GmbHProject: BISSMember
    The server rejects the connection when the client requests the proxy object.
    I switched the IceSSL.Trace.Security Flag on value 1 and got the following info:

    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1122
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]

    The connection info on local connections looks like this:

    [ iceboxnet.exe: Security: SSL connection summary
    local address = 127.0.0.1:11002
    remote address = 127.0.0.1:2079
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
  • tkriegertkrieger Thomas KriegerOrganization: Analytic Pipe GmbHProject: BISSMember
    Here a little more connection log info:

    [ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:12345 ]

    [ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:12345 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:12345 ]
    [ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:12345 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:11002 ]

    [ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:11002 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:11002 ]
    [ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:11002 ]
    [ iceboxnet.exe: Network: trying to validate incoming ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: accepted ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
    [ iceboxnet.exe: Network: trying to validate incoming ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: closing ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: accepted ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
    [ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: closing ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
  • tkriegertkrieger Thomas KriegerOrganization: Analytic Pipe GmbHProject: BISSMember
    Sorry i made no info which ip is which role.

    192.168.1.100: server
    192.168.1.195: client

    Here is some log of the client if i run it on "server":

    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 127.0.0.1
    :11002 ]
    [ NodeCommunicator.exe: Network: ssl connection established
    local address = 127.0.0.1:2238
    remote address = 127.0.0.1:11002 ]
    [ NodeCommunicator.exe: Security: SSL connection summary
    local address = 127.0.0.1:2238
    remote address = 127.0.0.1:11002
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]

    And here some log if i run client on "client":

    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
    .100:11002 ]
    [ NodeCommunicator.exe: Security: SSL certificate validation failed ]
    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
    .100:11002 ]
    [ NodeCommunicator.exe: Security: SSL certificate validation failed ]

    I use for both situation the exact same certificates.
  • mesmes CaliforniaMark SpruiellOrganization: ZeroC, Inc.Project: Ice DeveloperAdministrators, ZeroC Staff ZeroC Staff
    Hi Thomas,

    Does it work if you define the IceSSL.ImportCert property in your client's configuration?

    Take care,
    - Mark
  • tkriegertkrieger Thomas KriegerOrganization: Analytic Pipe GmbHProject: BISSMember
    Hi,

    i made some change before your post and it firstly throws also errors. Here to see my new client Ice Configuration

    Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
    Ice.ThreadPerConnection=1
    IceSSL.Password=password
    IceSSL.DefaultDir=.
    IceSSL.CertAuthFile=cakey
    IceSSL.CertFile=certpath

    The cakey and the cert file are in another directory (then working directory) and the setting contain an absolute path.
    When i today wanted to try your tip i first made an try with this "old" configuration and it works. Don't know why seems to be the restart.

    Thanks for your help i will try the Import option too.

    Best Regards

    Thomas Krieger
Sign In or Register to comment.