Archived
This forum has been archived. Please start a new discussion on GitHub.
Would you plan to implement IceSSL in C#?
I found there is a C# SSL library, would you plan to implement IceSSL for C#?
http://www.mentalis.org/soft/projects/ssocket/
http://www.mentalis.org/soft/projects/ssocket/
0
Comments
-
At present, there is no demand from any of our commercial customer for IceSSL for C#. If you have a commercial need for IceSSL for C#, please contact us at info@zeroc.com.0
-
.NET 2.0 has SslStreamzhangzq71 wrote:I found there is a C# SSL library, would you plan to implement IceSSL for C#?
http://www.mentalis.org/soft/projects/ssocket/
I have done my own IceSSL implementation using .NET 2.0,
which includes SSL functionality. It is the version that comes
with Visual Studio 2005 Beta 2.
Seems to work for me, but no serious testing done so far.
If you like (and have VS 2005 Beta2), I can e-mail it to you.
It also requires a few changes to Ice itself to compile under .NET 2.0
and to fix a bug with plugin loading.
Karl0 -
Karl,
Do you mean .net 2.0 comes with SSL implemenation?
I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.
Thank you very much!
email: zhangzq71@hotmail.com
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
Do you mean .net 2.0 comes with SSL implemenation?
I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.
Thank you very much!
email: zhangzq71@hotmail.com
Regards,
ZhangZQ
Yes, .NET 2.0 comes with an SslStream class. It only works with blocking
sockets, but this did not seem to be a problem with the little testing I did.
I am not sure if you can get the *Beta 2* version of .NET 2.0 SDK
without VS 2005, but you can try. One should be able to compile
with it. Give me a little time to prepare the fixes you need to do
to Ice itself to compile under .NET 2.0 and to accept plugins.
Karl0 -
Karl,
I found the .net framework 2.0 SDK can be downloaded from MSDN. After your IceSSL C# is ok, please send me a copy, thank you very much!
Regards,
ZhangZQ0 -
Karl,
Thanks, but I didn't get your code? Is it very large?
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
Thanks, but I didn't get your code? Is it very large?
Regards,
ZhangZQ
Well, yes, I pre-built everything for you, so the attachment
is about 5MB. Is that too large for you?
If yes, I can either ftp it if you like, or remove all binaries and
re-send a smaller file, in which case you would have to configure
everything for building, but that is not so bad, as with .NET 2.0
one can use msbuild.exe to build VS project files without having
VS installed.
Just tell me what you prefer,
Karl0 -
Karl,
I got your IceCS for .net 2.0. Thank you very much for your great effort!
I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
Succeeded
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
Error: There are more than one matching certificate in the issuer's root cert store
Failed
If I run the program ignoring the above errors, got
server.exe
Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
at Server.Main(String[] args)
so I have not successfully tested the SSL part of your Ice for CS.
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
I got your IceCS for .net 2.0. Thank you very much for your great effort!
I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
Succeeded
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
Error: There are more than one matching certificate in the issuer's root cert store
Failed
It is hard to diagnose what is going on from here.
You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?zhangzq71 wrote:If I run the program ignoring the above errors, got
server.exe
Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
at Server.Main(String[] args)
so I have not successfully tested the SSL part of your Ice for CS.
If config.xml file specifies a certificate serial number then it must match an existing certificate. However, the existing serial number in the hello demo's config.xml file will not match anything you have installed, therefore the plugin initialization will fail.
To make it easier for you, remove the server certificate serial number from config.xml. If there are no serial numbers or "subject names" specified, then the IceSSL plugin will select the first certificate it finds in the certificate store identified by the CertificateStoreLocation and CertificateStoreName elements.
So, all you have to make sure of then is that there is at least one certificate in the client store and server store.
Karl0 -
kwaclaw wrote:It is hard to diagnose what is going on from here.
You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?
I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.
How about to implement the IceSSLcs independ to OS service?
Regards,
ZhangZQ0 -
zhangzq71 wrote:I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.
I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.zhangzq71 wrote:How about to implement the IceSSLcs independ to OS service?
It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.
However, I will think about how to add a feature to load a file-based certificate.
Karl0 -
kwaclaw wrote:I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.kwaclaw wrote:It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.
However, I will think about how to add a feature to load a file-based certificate.
For your previous email, How to generate the CertificateSerialNumber ?
Regards,
ZhangZQ0 -
zhangzq71 wrote:I have to find the installation disk to install the CA snap-in because I can't find that snap-in in my control panel.
It should be there. After opening MMC (type mmc.exe on command line),
go to the File menu and select Add/Remove snap-in. Then when a dialog opens, click on the Add button.zhangzq71 wrote:I am glad to hear to, what I really want is to use MONO in Linux.
For your previous email, How to generate the CertificateSerialNumber ?
I think there is an option in makecert, but normally a GUID-like number is auto-generated.
Btw, I remember I already implemented a way to delay configuration to later and load a certificate file.
Here are the steps for the HelloS (server) project:
1) Add the System.Security assembly to the project references.
2) In file Server.cs, add these to lines to the top:using System.Security.Authentication; using System.Security.Cryptography.X509Certificates;
then add code like in this example to the Main function:
(the code between the // lines)try { Ice.Properties properties = Ice.Util.createProperties(); properties.load("config"); communicator = Ice.Util.initializeWithProperties(ref args, properties); // string certFile = @"...\...\DemoSoft.pfx"; X509Certificate2 cert = new X509Certificate2(certFile, "password"); Ice.Ssl.ServerContext srvContext = new Ice.Ssl.ServerContext(SslProtocols.Tls, false, false, false, cert); Ice.Ssl.PluginI plugin = (Ice.Ssl.PluginI)communicator.getPluginManager().getPlugin("IceSslStream"); plugin.ServerContext = srvContext; // status = run(args, communicator); }
but currently this won't work because there seems to be a bug in the Communicator implementation: pluginManager returns null.
You can fix this by replacing the code for getPluginManager() in the CommunicatorI.cs file in Ice like this:public PluginManager getPluginManager() { return _instance.pluginManager(); }
with this fix it worked for me.
Hope that helps,
Karl0 -
Karl,
I added the Cert snap-addin to mmc, after running makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine, I could see there is a new "IAA" item in the console window. But still failed to create the Server or Client Cert.
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr Lo
calMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-
sy 12 -in "IAA" -is root -ir localMachine
Error: Can't create the key of the subject ('006d86f9-b2fa-4fe3-a7c5-691ff97244d3')
Failed
Is it possible to create Cert by openssl and then install them in Windows ?
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
I added the Cert snap-addin to mmc, after running makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine, I could see there is a new "IAA" item in the console window. But still failed to create the Server or Client Cert.
E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr Lo
calMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-
sy 12 -in "IAA" -is root -ir localMachine
Error: Can't create the key of the subject ('006d86f9-b2fa-4fe3-a7c5-691ff97244d3')
Failed
I just got the same errror with your command line. But then I inserted a space in the command line just before '-sy 12', and it worked. Sorry if my instructions had a typo.zhangzq71 wrote:Is it possible to create Cert by openssl and then install them in Windows
It should be possible. Actually, it should be as easy as double-clicking on the .pfx file and following the steps. Or, when the mmc is open, just right click on one of the folders (Current User/Personal or Local Computer/Personal) and select All Tasks -> Import.
Btw, the code to load the certificate from a file into the plugin works for me after fixing the getPluginManager() bug. However, there is one step I forgot:
In order to prevent the exceptions caused by loading the config.xml file, remove the config.xml item from the Ice config file (it is the last item on the line for the IceSSL plugin).
Karl0 -
Karl,
Thank you for your new IceSSL CS.
Finally, the IceSSL CS works well after successfully created the certs when both server and client running in Windows.
Now I tried to check the connection between Win and Linux,
1. I import the cacert.pem in $ICE_ROOT/certs to Win
2. I import the s_rsa1024_pub.pem in $ICE_ROOT/cert to win
3. I tried to import s_rsa1024_priv.pem, but failed.
4. Modified the config.xml, replace the CertificateSerialNumber value
5. run the server in Win
6. run client in Linux
got these message from server
C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
warning: connection exception:
Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
se a certificate with the associated private key.
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
warning: connection exception:
Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
se a certificate with the associated private key.
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
Actually I don't understand SSL well, can you give me the instruction to do this?
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
Thank you for your new IceSSL CS.
Finally, the IceSSL CS works well after successfully created the certs when both server and client running in Windows.
Now I tried to check the connection between Win and Linux,
1. I import the cacert.pem in $ICE_ROOT/certs to Win
2. I import the s_rsa1024_pub.pem in $ICE_ROOT/cert to win
3. I tried to import s_rsa1024_priv.pem, but failed.
4. Modified the config.xml, replace the CertificateSerialNumber value
5. run the server in Win
6. run client in Linux
How did you import this? mmc on my system does not accept this file format.
I think to import a certificate into the Windows store you need to convert it to the PKCS#12 format. I googled and found this use for OpenSSL:
openssl pkcs12 -export -in s_rsa1024_pub.pem -inkey s_rsa1024_priv.pem -out s_rsa1024.p12
I was able to import this certificate. However, I was not able to import the CA certificate (cacert.pem).zhangzq71 wrote:got these message from server
C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
warning: connection exception:
Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
se a certificate with the associated private key.
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
warning: connection exception:
Ice.SyscallException: SyscallException ---> System.NotSupportedException: The server mode SSL must u
se a certificate with the associated private key.
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
Actually I don't understand SSL well, can you give me the instruction to do this?
Regards,
ZhangZQ
I think the server certificate must contain the private key if it is used for signing, proving identity. Only for distribution you would not include the private key. So, you get the error because your private key could not be imported.
Karl0 -
kwaclaw wrote:How did you import this? mmc on my system does not accept this file format.
I think to import a certificate into the Windows store you need to convert it to the PKCS#12 format. I googled and found this use for OpenSSL:
openssl pkcs12 -export -in s_rsa1024_pub.pem -inkey s_rsa1024_priv.pem -out s_rsa1024.p12
I was able to import this certificate. However, I was not able to import the CA certificate (cacert.pem).
Actually, I was after some more attempts (reading the makecerts script in the Ice for Java distribution helped). You need to do this:
openssl x509 -in cacert.pem -outform DER -out cacert.der
And then import the cacert.der file. mmc will not show it as a supported file type, but it will work anyway.
Karl0 -
Karl,
I directly imported the .pem file to Windows CA snap-in, and it was successful, since I could see the 2 new 'Ice Server' and 'Your Certificate Authority' items were added to the snap-in.
Now I removed that 2 cert, and imported them follow your instruction, and I can see that 2 new items, and I tried to run server with the CertificateSerialNumber set to "". Then run client in Linux, got these msg from Linux,
[zzq01@localhost hello]$ ./client
SslClientTransceiver.cpp:306: IceSSL::CertificateVerificationException:
Unable to get issuer certificate locally.
1 - Thread ID: 3086848672
1 - Error: 336134278
1 - Message: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
1 - Location: s3_clnt.c, 843
and got these msg from Win
C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>server
warning: connection exception:
Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
nticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exce
ption: The certificate chain was issued by an authority that is not trusted
--- End of inner exception stack trace ---
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
warning: connection exception:
Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
nticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exce
ption: The certificate chain was issued by an authority that is not trusted
--- End of inner exception stack trace ---
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean
clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Acceptor.accept(Int32 timeout)
--- End of inner exception stack trace ---
at Ice.Ssl.Acceptor.accept(Int32 timeout)
at IceInternal.IncomingConnectionFactory.message(BasicStream unused, ThreadPool threadPool)
192.168.0.199:10000
I could not understand what is the problem.
Thank you very much for your help!
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
I directly imported the .pem file to Windows CA snap-in, and it was successful, since I could see the 2 new 'Ice Server' and 'Your Certificate Authority' items were added to the snap-in.
Now I removed that 2 cert, and imported them follow your instruction, and I can see that 2 new items, and I tried to run server with the CertificateSerialNumber set to "". Then run client in Linux, got these msg from Linux,
[zzq01@localhost hello]$ ./client
SslClientTransceiver.cpp:306: IceSSL::CertificateVerificationException:
Unable to get issuer certificate locally.
1 - Thread ID: 3086848672
1 - Error: 336134278
1 - Message: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
1 - Location: s3_clnt.c, 843
This looks to me as if one the Linux side the CA certificate (the issuer for the server certificate) is not installed or made available to IceSSL. Or it is different from the one on the server.
Both, the client and server system must have the CA certificates available so that they can check the certificates against them.
Does it work between linux server and Linux client?
Karl0 -
kwaclaw wrote:This looks to me as if one the Linux side the CA certificate (the issuer for the server certificate) is not installed or made available to IceSSL. Or it is different from the one on the server.kwaclaw wrote:Does it work between linux server and Linux client?
Regards,
ZhangZQ0 -
zhangzq71 wrote:How to made the server cert avaiable to IceSSL, I've imported both cacert, and s_rsa to Win CA service, and I can see them in the CA snap-in.zhangzq71 wrote:Yes, the Ice-2.1.2 hello demo program(not the C#, but the C++ version) can work in Linux and Win.
Does it work when the (C#) client is on Windows and the (C++) Server runs on Linux?
Karl0 -
kwaclaw wrote:My point was that it is not available on *Linux*. Or maybe the CA certificates on Windows and Linux are not the same?kwaclaw wrote:Does it work when the (C#) client is on Windows and the (C++) Server runs on Linux?
1. C# client on Window
C:\Documents and Settings\johnz\Desktop\IceCS-2.1.2_.NET_2.0\demo\Ice\hello>client
Ice.ConnectionRefusedException: ConnectionRefusedException ---> System.Security.Authentication.Authe
nticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncPro
tocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollectio
n clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Ice.Ssl.Connector.connect(Int32 timeout)
--- End of inner exception stack trace ---
at IceInternal.ProxyFactory.checkRetryAfterException(LocalException ex, Reference ref, Int32 cnt)
at Ice.ObjectPrxHelperBase.__handleException(LocalException ex, Int32 cnt)
at Ice.ObjectPrxHelperBase.ice_isA(String __id, Context __context)
at Ice.ObjectPrxHelperBase.ice_isA(String __id)
at Demo.HelloPrxHelper.checkedCast(ObjectPrx b)
at Client.run(String[] args, Communicator communicator)
at Client.Main(String[] args)
2. the Linux server
[zzq01@localhost hello]$ ./server
warning: connection exception:
SslTransceiver.cpp:269: Ice::ConnectionLostException:
connection lost: Connection reset by peer
local address = 192.168.0.1:10000
remote address = 192.168.0.199:1508
warning: connection exception:
SslTransceiver.cpp:269: Ice::ConnectionLostException:
connection lost: Connection reset by peer
local address = 192.168.0.1:10000
remote address = 192.168.0.199:1507
BTW, can you tell me how to generate the cert in s_rsa1024.pem format that contains the cert detail information in header? Thanks!
Regards,
ZhangZQ0 -
zhangzq71 wrote:I imported the cacert and s_rsa.pem from the $ICE_ROOT/certs of the Linux pc, and run the client from $ICE_ROOT/demo/Ice/hello, so I think they are the same, right?
So, you used the exact same .pem files for both Windows and Linux?
And they work when client & server are both on the same OS,
but not when they are on different platforms?zhangzq71 wrote:BTW, can you tell me how to generate the cert in s_rsa1024.pem format that contains the cert detail information in header? Thanks!
Actually, I have never created a .pem certificate.
I am sure there is some OpenSSL documentation that explains it.
Karl0 -
kwaclaw wrote:So, you used the exact same .pem files for both Windows and Linux?
And they work when client & server are both on the same OS,
but not when they are on different platforms?
Your C# IceSSL client can successfully connect to Linux server(Ice-2.1.2), but failed on your C# IceSSL as server, then both your C# IceSSL client and Linux client are both failed.
Please notice that I've specified the ServerName="Ice Server" in the config.xml in current testing. I don't know how to specify the cert will be used for your C# IceSSL server, and I think that is the error.
Regards,
ZhangZQ0 -
zhangzq71 wrote:Here is my new test result:
Your C# IceSSL client can successfully connect to Linux server(Ice-2.1.2), but failed on your C# IceSSL as server, then both your C# IceSSL client and Linux client are both failed.
Please notice that I've specified the ServerName="Ice Server" in the config.xml in current testing. I don't know how to specify the cert will be used for your C# IceSSL server, and I think that is the error.
Regards,
ZhangZQ
To specify the server certificate, you must indicate the certificate store and location (for example: "LocalMachine" and "My") as well as the serial number in the config.xml server settings.
When you open up the MMC snap-in, LocalMachine corresponds to the "Local Computer , and "My" corresponds to the "Personal" folder under it. That is where your server certificate should be. Then, open the certificate and get the serial number, and enter it into config.xml for the server settings.
Make sure the server certificate includes the private key.
Hope that helps,
Karl0 -
Karl,
Thank you very much! Finally your C# IceSSL works correctly.
The server cert is specified by
1. CertificateStoreLocation="CurrentUser"
2. CertificateStoreName="My"
3. CertificateSerialNumber="01"
The CertificateStoreLocation="CurrentUser" was set to "LocalMachine" before.
If you have more improvment please let me know, thank you!
Regards,
ZhangZQ0 -
zhangzq71 wrote:Karl,
Thank you very much! Finally your C# IceSSL works correctly.
The server cert is specified by
1. CertificateStoreLocation="CurrentUser"
2. CertificateStoreName="My"
3. CertificateSerialNumber="01"
The CertificateStoreLocation="CurrentUser" was set to "LocalMachine" before.
I see - you installed it in a different certificate store.
Yes, the details sometimes get you. :-)zhangzq71 wrote:If you have more improvment please let me know, thank you!
I made a minor modification like this:
The plugin will not throw an exception anymore if it cannot find any certificates specified in config.xml, but it will log that as an error using the Ice.Logger facility.
So, the plugin will load anyway, and you can use the code I posted to see if the certificates were loaded, and if not, load a certificate from a file.
If you want I can send you the modified package.
Karl0 -
Karl,
Yes, I want you new package.
Do you mean the new package can load the cert from both Windows Cert Store and Cert File?
Regards,
ZhangZQ0