Archived
This forum has been archived. Please start a new discussion on GitHub.
Certificate validation on remote computer
Hello,
i have a problem regarding to the certificate validation inside IceSSL. I created my own certificates with the examples inside the IceSSL Documentation. If i try now to connect to an service (when client and server on same pc) it connect successfull. If i deploy the client on a remote pc and make the same steps i got an security exception:
The remote certificate is invalid according to the validation procedure.
I use Ice 3.1.1.
On Client Side i set the param:
Ice.Plugin.IceSSL = icesslcs.dll:IceSSL.PluginFactory
Ice.ThreadPerConnection=1 (in cause of C# 2.0)
IceSSL.Password = password
IceSSL.CertAuthFile = cert_path
IceSSL.CertFile = ca_path
On Server Side conf looks like:
Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
IceSSL.DefaultDir=ca_root_path
IceSSL.CertFile=server_key.p12
IceSSL.Password=password
IceSSL.ImportCert.LocalMachine.AuthRoot=ca_cert.pem
Ice.ThreadPerConnection=1
Hope someone can give me a hint whats exactly wrong here!
Best Regards
Thomas Krieger
i have a problem regarding to the certificate validation inside IceSSL. I created my own certificates with the examples inside the IceSSL Documentation. If i try now to connect to an service (when client and server on same pc) it connect successfull. If i deploy the client on a remote pc and make the same steps i got an security exception:
The remote certificate is invalid according to the validation procedure.
I use Ice 3.1.1.
On Client Side i set the param:
Ice.Plugin.IceSSL = icesslcs.dll:IceSSL.PluginFactory
Ice.ThreadPerConnection=1 (in cause of C# 2.0)
IceSSL.Password = password
IceSSL.CertAuthFile = cert_path
IceSSL.CertFile = ca_path
On Server Side conf looks like:
Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
IceSSL.DefaultDir=ca_root_path
IceSSL.CertFile=server_key.p12
IceSSL.Password=password
IceSSL.ImportCert.LocalMachine.AuthRoot=ca_cert.pem
Ice.ThreadPerConnection=1
Hope someone can give me a hint whats exactly wrong here!
Best Regards
Thomas Krieger
0
Comments
-
Who is rejecting the connection? The client is rejecting the server, or the server is booting the client? Did you install the correct certificates on the client host? I recommend enabling some of the SSL tracing to determine what is occurring during the connection process. You can see the Ice manual for details on what tracing is exactly available.0
-
The server rejects the connection when the client requests the proxy object.
I switched the IceSSL.Trace.Security Flag on value 1 and got the following info:
[ iceboxnet.exe: Security: SSL connection summary
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1122
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = yes
hash algorithm = Md5/128
cipher algorithm = Rc4/128
key exchange algorithm = RsaSign/2048
protocol = Tls ]
The connection info on local connections looks like this:
[ iceboxnet.exe: Security: SSL connection summary
local address = 127.0.0.1:11002
remote address = 127.0.0.1:2079
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = yes
hash algorithm = Md5/128
cipher algorithm = Rc4/128
key exchange algorithm = RsaSign/2048
protocol = Tls ]0 -
Here a little more connection log info:
[ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:12345 ]
[ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:12345 ]
[ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:12345 ]
[ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:12345 ]
[ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:11002 ]
[ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:11002 ]
[ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:11002 ]
[ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:11002 ]
[ iceboxnet.exe: Network: trying to validate incoming ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147 ]
[ iceboxnet.exe: Network: accepted ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147 ]
[ iceboxnet.exe: Security: SSL connection summary
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = yes
hash algorithm = Md5/128
cipher algorithm = Rc4/128
key exchange algorithm = RsaSign/2048
protocol = Tls ]
[ iceboxnet.exe: Network: trying to validate incoming ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148 ]
[ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147 ]
[ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147 ]
[ iceboxnet.exe: Network: closing ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1147 ]
[ iceboxnet.exe: Network: accepted ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148 ]
[ iceboxnet.exe: Security: SSL connection summary
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = yes
hash algorithm = Md5/128
cipher algorithm = Rc4/128
key exchange algorithm = RsaSign/2048
protocol = Tls ]
[ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148 ]
[ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148 ]
[ iceboxnet.exe: Network: closing ssl connection
local address = 192.168.1.100:11002
remote address = 192.168.1.195:1148 ]0 -
Sorry i made no info which ip is which role.
192.168.1.100: server
192.168.1.195: client
Here is some log of the client if i run it on "server":
[ NodeCommunicator.exe: Network: trying to establish ssl connection to 127.0.0.1
:11002 ]
[ NodeCommunicator.exe: Network: ssl connection established
local address = 127.0.0.1:2238
remote address = 127.0.0.1:11002 ]
[ NodeCommunicator.exe: Security: SSL connection summary
local address = 127.0.0.1:2238
remote address = 127.0.0.1:11002
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = yes
hash algorithm = Md5/128
cipher algorithm = Rc4/128
key exchange algorithm = RsaSign/2048
protocol = Tls ]
And here some log if i run client on "client":
[ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
.100:11002 ]
[ NodeCommunicator.exe: Security: SSL certificate validation failed ]
[ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
.100:11002 ]
[ NodeCommunicator.exe: Security: SSL certificate validation failed ]
I use for both situation the exact same certificates.0 -
Hi Thomas,
Does it work if you define the IceSSL.ImportCert property in your client's configuration?
Take care,
- Mark0 -
Hi,
i made some change before your post and it firstly throws also errors. Here to see my new client Ice Configuration
Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
Ice.ThreadPerConnection=1
IceSSL.Password=password
IceSSL.DefaultDir=.
IceSSL.CertAuthFile=cakey
IceSSL.CertFile=certpath
The cakey and the cert file are in another directory (then working directory) and the setting contain an absolute path.
When i today wanted to try your tip i first made an try with this "old" configuration and it works. Don't know why seems to be the restart.
Thanks for your help i will try the Import option too.
Best Regards
Thomas Krieger0