Archived

This forum has been archived. Please start a new discussion on GitHub.

Certificate validation on remote computer

Hello,

i have a problem regarding to the certificate validation inside IceSSL. I created my own certificates with the examples inside the IceSSL Documentation. If i try now to connect to an service (when client and server on same pc) it connect successfull. If i deploy the client on a remote pc and make the same steps i got an security exception:

The remote certificate is invalid according to the validation procedure.

I use Ice 3.1.1.
On Client Side i set the param:

Ice.Plugin.IceSSL = icesslcs.dll:IceSSL.PluginFactory
Ice.ThreadPerConnection=1 (in cause of C# 2.0)
IceSSL.Password = password
IceSSL.CertAuthFile = cert_path
IceSSL.CertFile = ca_path

On Server Side conf looks like:

Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
IceSSL.DefaultDir=ca_root_path
IceSSL.CertFile=server_key.p12
IceSSL.Password=password
IceSSL.ImportCert.LocalMachine.AuthRoot=ca_cert.pem
Ice.ThreadPerConnection=1

Hope someone can give me a hint whats exactly wrong here!

Best Regards

Thomas Krieger

Comments

  • matthew
    matthew NL, Canada
    Who is rejecting the connection? The client is rejecting the server, or the server is booting the client? Did you install the correct certificates on the client host? I recommend enabling some of the SSL tracing to determine what is occurring during the connection process. You can see the Ice manual for details on what tracing is exactly available.
  • The server rejects the connection when the client requests the proxy object.
    I switched the IceSSL.Trace.Security Flag on value 1 and got the following info:

    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1122
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]

    The connection info on local connections looks like this:

    [ iceboxnet.exe: Security: SSL connection summary
    local address = 127.0.0.1:11002
    remote address = 127.0.0.1:2079
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
  • Here a little more connection log info:

    [ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:12345 ]

    [ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:12345 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:12345 ]
    [ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:12345 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 192.168.1.100:11002 ]

    [ iceboxnet.exe: Network: accepting ssl connections at 192.168.1.100:11002 ]
    [ iceboxnet.exe: Network: attempting to bind to ssl socket 127.0.0.1:11002 ]
    [ iceboxnet.exe: Network: accepting ssl connections at 127.0.0.1:11002 ]
    [ iceboxnet.exe: Network: trying to validate incoming ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: accepted ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
    [ iceboxnet.exe: Network: trying to validate incoming ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: closing ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1147 ]
    [ iceboxnet.exe: Network: accepted ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Security: SSL connection summary
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]
    [ iceboxnet.exe: Network: sent 14 of 14 bytes via ssl
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: shutting down ssl connection for reading and writing
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
    [ iceboxnet.exe: Network: closing ssl connection
    local address = 192.168.1.100:11002
    remote address = 192.168.1.195:1148 ]
  • Sorry i made no info which ip is which role.

    192.168.1.100: server
    192.168.1.195: client

    Here is some log of the client if i run it on "server":

    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 127.0.0.1
    :11002 ]
    [ NodeCommunicator.exe: Network: ssl connection established
    local address = 127.0.0.1:2238
    remote address = 127.0.0.1:11002 ]
    [ NodeCommunicator.exe: Security: SSL connection summary
    local address = 127.0.0.1:2238
    remote address = 127.0.0.1:11002
    authenticated = yes
    encrypted = yes
    signed = yes
    mutually authenticated = yes
    hash algorithm = Md5/128
    cipher algorithm = Rc4/128
    key exchange algorithm = RsaSign/2048
    protocol = Tls ]

    And here some log if i run client on "client":

    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
    .100:11002 ]
    [ NodeCommunicator.exe: Security: SSL certificate validation failed ]
    [ NodeCommunicator.exe: Network: trying to establish ssl connection to 192.168.1
    .100:11002 ]
    [ NodeCommunicator.exe: Security: SSL certificate validation failed ]

    I use for both situation the exact same certificates.
  • mes
    mes California
    Hi Thomas,

    Does it work if you define the IceSSL.ImportCert property in your client's configuration?

    Take care,
    - Mark
  • Hi,

    i made some change before your post and it firstly throws also errors. Here to see my new client Ice Configuration

    Ice.Plugin.IceSSL=icesslcs.dll:IceSSL.PluginFactory
    Ice.ThreadPerConnection=1
    IceSSL.Password=password
    IceSSL.DefaultDir=.
    IceSSL.CertAuthFile=cakey
    IceSSL.CertFile=certpath

    The cakey and the cert file are in another directory (then working directory) and the setting contain an absolute path.
    When i today wanted to try your tip i first made an try with this "old" configuration and it works. Don't know why seems to be the restart.

    Thanks for your help i will try the Import option too.

    Best Regards

    Thomas Krieger