Archived
This forum has been archived. Please start a new discussion on GitHub.
IceSSL on Windows Server 2003
Hi,
We are currently using IceSSL in a .Net codebase (.Net 3.5) in the server mode. The host machine is a windows 2003 server based Amazon EC2 instance. We are loading the SSL certificate files using the following commands:
// configure ICE SSL
initData.properties.setProperty("Ice.Plugin.IceSSL", "../../../Common/lib/IceSSL.dll:IceSSL.PluginFactory");
initData.properties.setProperty("IceSSL.DefaultDir", "../../../Common/ice-certs");
initData.properties.setProperty("IceSSL.CertFile", "cert.pfx");
initData.properties.setProperty("IceSSL.Password", "xxxxxx");
initData.properties.setProperty("IceSSL.ImportCert.LocalMachine.AuthRoot", "ca_cert.pem");
// configure ICE without active connection management to avoid problems with bidirectional and oneway traffic
initData.properties.setProperty("Ice.ACM.Client", "0");
communicator = Ice.Util.initialize(initData);
The code works fine in our development platform which is a windows XP machine. However we receive the following exception while loading the cert.pfx file on the windows 2003 server.
4/16/2012 1:51:37 PM [Error] Ice.PluginInitializationException
reason = "IceSSL: error while attempting to load certificate from ..\..\..\Common\ice-certs\cert.pfx"
at IceSSL.Instance.initialize()
at IceSSL.PluginI.initialize()
at Ice.PluginManagerI.initializePlugins()
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initialize(InitializationData initData)
at StarMobile.RenderService.RenderServer.init() in C:\Documents and Settings\All Users\Desktop\gitC#\StarMobile\RenderService\RenderServer.cs:line 66
Caused by: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, SecureString password)
at IceSSL.Instance.initialize()
Upon a google search, I found that the problem is the following:
---- from Error on EWP while hosting : The Official Microsoft ASP.NET Forums
I've found a solution that at least for now seems to work. So as it seems asp.net usually (on hosting providers?) runs with medium trust. Medium trust happens to forbid the user to access the local user store which is the default. So we have to use the Machine Store which Medium trust happens to allow. Also according to some sources local store is also fucked up when using impersonation. Further more the certificate somehow uses a certificate store even if it is not installed there and you load it from file or byte array. And now the moment you've all been waiting for - the code:
X509Certificate2 certificate = new X509Certificate2("filename", "password", X509KeyStorageFlags.MachineKeySet);
I looked at the source code of IceSSL directory and I found that in the Instance.cs file, which raises the exception, the following line is present. The line does not include the MachineKeySet flag.
cert = new X509Certificate2(certFile, password);
Is there a way I can modify this line to include the MachineKeySet flag ? If others have also faced this issues how did they solve it?
thanks
sandeep
We are currently using IceSSL in a .Net codebase (.Net 3.5) in the server mode. The host machine is a windows 2003 server based Amazon EC2 instance. We are loading the SSL certificate files using the following commands:
// configure ICE SSL
initData.properties.setProperty("Ice.Plugin.IceSSL", "../../../Common/lib/IceSSL.dll:IceSSL.PluginFactory");
initData.properties.setProperty("IceSSL.DefaultDir", "../../../Common/ice-certs");
initData.properties.setProperty("IceSSL.CertFile", "cert.pfx");
initData.properties.setProperty("IceSSL.Password", "xxxxxx");
initData.properties.setProperty("IceSSL.ImportCert.LocalMachine.AuthRoot", "ca_cert.pem");
// configure ICE without active connection management to avoid problems with bidirectional and oneway traffic
initData.properties.setProperty("Ice.ACM.Client", "0");
communicator = Ice.Util.initialize(initData);
The code works fine in our development platform which is a windows XP machine. However we receive the following exception while loading the cert.pfx file on the windows 2003 server.
4/16/2012 1:51:37 PM [Error] Ice.PluginInitializationException
reason = "IceSSL: error while attempting to load certificate from ..\..\..\Common\ice-certs\cert.pfx"
at IceSSL.Instance.initialize()
at IceSSL.PluginI.initialize()
at Ice.PluginManagerI.initializePlugins()
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initialize(InitializationData initData)
at StarMobile.RenderService.RenderServer.init() in C:\Documents and Settings\All Users\Desktop\gitC#\StarMobile\RenderService\RenderServer.cs:line 66
Caused by: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, SecureString password)
at IceSSL.Instance.initialize()
Upon a google search, I found that the problem is the following:
---- from Error on EWP while hosting : The Official Microsoft ASP.NET Forums
I've found a solution that at least for now seems to work. So as it seems asp.net usually (on hosting providers?) runs with medium trust. Medium trust happens to forbid the user to access the local user store which is the default. So we have to use the Machine Store which Medium trust happens to allow. Also according to some sources local store is also fucked up when using impersonation. Further more the certificate somehow uses a certificate store even if it is not installed there and you load it from file or byte array. And now the moment you've all been waiting for - the code:
X509Certificate2 certificate = new X509Certificate2("filename", "password", X509KeyStorageFlags.MachineKeySet);
I looked at the source code of IceSSL directory and I found that in the Instance.cs file, which raises the exception, the following line is present. The line does not include the MachineKeySet flag.
cert = new X509Certificate2(certFile, password);
Is there a way I can modify this line to include the MachineKeySet flag ? If others have also faced this issues how did they solve it?
thanks
sandeep
0
Comments
-
Hi,
Thanks for reporting this, it's the first time I've seen this issue.
After modifying Instance.cs to add the MachineKeySet flag, you can build a new version of the IceSSL assembly. I recommend downloading and running our Third-Party installer first. Next, open a Visual Studio command window, change to the directory containing the Ice source code, and do the following:> cd Ice-3.4.2\cpp\src\IceUtil > nmake /f Makefile.mak > cd ..\Slice > nmake /f Makefile.mak > cd ..\slice2cs > nmake /f Makefile.mak > cd ..\..\..\cs\src\Ice > nmake /f Makefile.mak > cd ..\IceSSL > nmake /f Makefile.mak
This will create a new version of IceSSL.dll in cs\bin.
Regards,
Mark0 -
Thanks !
Thanks for the quick response. The code fix works and I am able to load the file now. You might want to consider looking at this issue further and updating your code to include the MachineKeySet in the Ice code base. More info on the issue is available at the following microsoft blog:
RSACryptoServiceProvider fails when used with ASP.NET - Decrypt my World - Site Home - MSDN Blogs0 -
Hi,
Glad to hear it's working for you now.
We will include a fix for this in the next release.
Cheers,
Mark0 -
ICE-3.5.0 - Ice.PluginInitializationException
Hi,
I have downloaded Ice 3.5.0. When running sever.exe from the demo (C#). I am getting the "Ice.PluginInitializationException".
I am running on Windows XP.
Please advise.
Also if I need to modify the code in "instance.cs" as someone point me ICE-3.5.0 source code.
Thanks in advance.0 -
Hi,
Welcome to the forum.
Can you paste the complete exception stack trace?
Thanks,
Mark0 -
Hi Mark,
Here you go...
C:\Program Files\ZeroC\Ice-3.5.0-demos\democs\Ice\hello>server.exe
!! 7/3/2013 09:47:59:753 server.exe: error: Ice.PluginInitializationException
reason = "IceSSL: error while attempting to load certificate from s_rsa10
24.pfx"
at IceSSL.Instance.initialize()
at IceSSL.PluginI.initialize()
at Ice.PluginManagerI.initializePlugins()
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initialize(String[]& args, InitializationData initData)
at Ice.Application.doMain(String[] args, InitializationData initData)
Caused by: System.Security.Cryptography.CryptographicException: An internal e
rror occurred.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicE
xception(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFi
le(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, Safe
CertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCerti
ficateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageF
lags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(St
ring fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
at IceSSL.Instance.initialize()0 -
This is a known issue with our demo certificates. We mentioned this in our release notes. The problem is that Windows XP doesn't provide complete support for the SHA256 hash algorithm that we use to generate our demo certificates, but we needed to use this algorithm for compatibility with iOS. I'm afraid you won't be able to use these certificates on XP.
Regards,
Mark0 -
Thanks for your quick response.
Here's our use-case:
1) The pattern is request/response, It has to support both synchronous or async.
2) Once we make the request, the data we get back is the serialized object using protocol buffer
3) Client runs on "Windows XP" and the server on linux.
Question
Which sample would be ideal for us?
Thanks0 -
Our labs project provides sample programs in C++, Java and Python. We don't currently support the use of C# with protocol buffers. Is using C# a requirement for you?
Note also that we have added many new features in Ice 3.5, such as support for optional data members and optional parameters, that offer functionality similar to that of protocol buffers and might eliminate the need to use protocol buffers in some cases.
Regards,
Mark0 -
C# is a requirement for us, the client is a WPF based application. We have other reasons to use protocol buffers for message encoding purposes.
Is it possible to use 3.4.x version and send the data as a byte sequence?0 -
There's no need to revert to Ice 3.4. We don't provide any built-in C# support for protocol buffers primarily because Google didn't provide a C# implementation of PB. Are you using a third-party PB implementation for C#?
Although Ice doesn't officially support it, you can still send and receive encoded PB messages, you'll just have to treat them as regular byte sequences in C# and manage the encoding/decoding yourself.
Mark0