Archived

This forum has been archived. Please start a new discussion on GitHub.

IceSSL on Windows Server 2003

Hi,

We are currently using IceSSL in a .Net codebase (.Net 3.5) in the server mode. The host machine is a windows 2003 server based Amazon EC2 instance. We are loading the SSL certificate files using the following commands:


// configure ICE SSL
initData.properties.setProperty("Ice.Plugin.IceSSL", "../../../Common/lib/IceSSL.dll:IceSSL.PluginFactory");
initData.properties.setProperty("IceSSL.DefaultDir", "../../../Common/ice-certs");
initData.properties.setProperty("IceSSL.CertFile", "cert.pfx");
initData.properties.setProperty("IceSSL.Password", "xxxxxx");
initData.properties.setProperty("IceSSL.ImportCert.LocalMachine.AuthRoot", "ca_cert.pem");

// configure ICE without active connection management to avoid problems with bidirectional and oneway traffic
initData.properties.setProperty("Ice.ACM.Client", "0");
communicator = Ice.Util.initialize(initData);


The code works fine in our development platform which is a windows XP machine. However we receive the following exception while loading the cert.pfx file on the windows 2003 server.


4/16/2012 1:51:37 PM [Error] Ice.PluginInitializationException
reason = "IceSSL: error while attempting to load certificate from ..\..\..\Common\ice-certs\cert.pfx"
at IceSSL.Instance.initialize()
at IceSSL.PluginI.initialize()
at Ice.PluginManagerI.initializePlugins()
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initialize(InitializationData initData)
at StarMobile.RenderService.RenderServer.init() in C:\Documents and Settings\All Users\Desktop\gitC#\StarMobile\RenderService\RenderServer.cs:line 66
Caused by: System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, SecureString password)
at IceSSL.Instance.initialize()


Upon a google search, I found that the problem is the following:
---- from Error on EWP while hosting : The Official Microsoft ASP.NET Forums

I've found a solution that at least for now seems to work. So as it seems asp.net usually (on hosting providers?) runs with medium trust. Medium trust happens to forbid the user to access the local user store which is the default. So we have to use the Machine Store which Medium trust happens to allow. Also according to some sources local store is also fucked up when using impersonation. Further more the certificate somehow uses a certificate store even if it is not installed there and you load it from file or byte array. And now the moment you've all been waiting for - the code:

X509Certificate2 certificate = new X509Certificate2("filename", "password", X509KeyStorageFlags.MachineKeySet);


I looked at the source code of IceSSL directory and I found that in the Instance.cs file, which raises the exception, the following line is present. The line does not include the MachineKeySet flag.

cert = new X509Certificate2(certFile, password);


Is there a way I can modify this line to include the MachineKeySet flag ? If others have also faced this issues how did they solve it?

thanks
sandeep

Comments

  • mes
    mes California
    Hi,

    Thanks for reporting this, it's the first time I've seen this issue.

    After modifying Instance.cs to add the MachineKeySet flag, you can build a new version of the IceSSL assembly. I recommend downloading and running our Third-Party installer first. Next, open a Visual Studio command window, change to the directory containing the Ice source code, and do the following:
    > cd Ice-3.4.2\cpp\src\IceUtil
    > nmake /f Makefile.mak
    > cd ..\Slice
    > nmake /f Makefile.mak
    > cd ..\slice2cs
    > nmake /f Makefile.mak
    > cd ..\..\..\cs\src\Ice
    > nmake /f Makefile.mak
    > cd ..\IceSSL
    > nmake /f Makefile.mak
    

    This will create a new version of IceSSL.dll in cs\bin.

    Regards,
    Mark
  • Thanks !

    Thanks for the quick response. The code fix works and I am able to load the file now. You might want to consider looking at this issue further and updating your code to include the MachineKeySet in the Ice code base. More info on the issue is available at the following microsoft blog:

    RSACryptoServiceProvider fails when used with ASP.NET - Decrypt my World - Site Home - MSDN Blogs
  • mes
    mes California
    Hi,

    Glad to hear it's working for you now.

    We will include a fix for this in the next release.

    Cheers,
    Mark
  • ICE-3.5.0 - Ice.PluginInitializationException

    Hi,

    I have downloaded Ice 3.5.0. When running sever.exe from the demo (C#). I am getting the "Ice.PluginInitializationException".

    I am running on Windows XP.

    Please advise.

    Also if I need to modify the code in "instance.cs" as someone point me ICE-3.5.0 source code.

    Thanks in advance.
  • mes
    mes California
    Hi,

    Welcome to the forum.

    Can you paste the complete exception stack trace?

    Thanks,
    Mark
  • Hi Mark,

    Here you go...

    C:\Program Files\ZeroC\Ice-3.5.0-demos\democs\Ice\hello>server.exe
    !! 7/3/2013 09:47:59:753 server.exe: error: Ice.PluginInitializationException
    reason = "IceSSL: error while attempting to load certificate from s_rsa10
    24.pfx"
    at IceSSL.Instance.initialize()
    at IceSSL.PluginI.initialize()
    at Ice.PluginManagerI.initializePlugins()
    at IceInternal.Instance.finishSetup(String[]& args)
    at Ice.CommunicatorI.finishSetup(String[]& args)
    at Ice.Util.initialize(String[]& args, InitializationData initData)
    at Ice.Application.doMain(String[] args, InitializationData initData)
    Caused by: System.Security.Cryptography.CryptographicException: An internal e
    rror occurred.

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicE
    xception(Int32 hr)
    at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFi
    le(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, Safe
    CertContextHandle& pCertCtx)
    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCerti
    ficateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageF
    lags)
    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(St
    ring fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
    at IceSSL.Instance.initialize()
  • mes
    mes California
    This is a known issue with our demo certificates. We mentioned this in our release notes. The problem is that Windows XP doesn't provide complete support for the SHA256 hash algorithm that we use to generate our demo certificates, but we needed to use this algorithm for compatibility with iOS. I'm afraid you won't be able to use these certificates on XP.

    Regards,
    Mark
  • Thanks for your quick response.

    Here's our use-case:

    1) The pattern is request/response, It has to support both synchronous or async.
    2) Once we make the request, the data we get back is the serialized object using protocol buffer
    3) Client runs on "Windows XP" and the server on linux.

    Question
    Which sample would be ideal for us?

    Thanks
  • mes
    mes California
    Our labs project provides sample programs in C++, Java and Python. We don't currently support the use of C# with protocol buffers. Is using C# a requirement for you?

    Note also that we have added many new features in Ice 3.5, such as support for optional data members and optional parameters, that offer functionality similar to that of protocol buffers and might eliminate the need to use protocol buffers in some cases.

    Regards,
    Mark
  • C# is a requirement for us, the client is a WPF based application. We have other reasons to use protocol buffers for message encoding purposes.

    Is it possible to use 3.4.x version and send the data as a byte sequence?
  • mes
    mes California
    There's no need to revert to Ice 3.4. We don't provide any built-in C# support for protocol buffers primarily because Google didn't provide a C# implementation of PB. Are you using a third-party PB implementation for C#?

    Although Ice doesn't officially support it, you can still send and receive encoded PB messages, you'll just have to treat them as regular byte sequences in C# and manage the encoding/decoding yourself.

    Mark