Archived

This forum has been archived. Please start a new discussion on GitHub.

Ice SSL problem - the remote certificate is invalid according to the validation procedure

Dear Zeroc Support Team,

I experienced quite a strange problem - there is a Windows 7 machine on which I once developed and run an Ice (3.5) application. Now I am not able to run it again - the problem is related to SSL connection between a client and a server. I decided to check if a sample Ice application (hello) works correctly. Non-encrypted connectivity works perfectly, but in the "secure mode" there is an exception on the server side:

-- 2016-09-12 17:09:22:944 server.exe: Security: SSL certificate validation failed - client certificate not provided
-- 2016-09-12 17:09:22:945 server.exe: Network: failed to establish ssl connection
local address = 172.17.7.162:10001
remote address = 172.17.7.171:55552
Ice.SecurityException
reason = "The remote certificate is invalid according to the validation procedure."
at IceSSL.TransceiverI.endAuthenticate()
at IceSSL.TransceiverI.initialize()
Caused by: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the
validation procedure.
at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at IceSSL.TransceiverI.endAuthenticate()
-- 2016-09-12 17:09:22:960 server.exe: Network: attempting to accept ssl connection

On the client side:
-- 2016-09-12 17:09:27:876 client.exe: Network: trying to establish ssl connection to 172.17.7.162:10001
-- 2016-09-12 17:09:27:928 client.exe: Security: IceSSL: ignoring certificate validation failure:
peer certificate does not have `172.17.7.162' as its commonName or in its subjectAltName extension
Subject DN: CN=127.0.0.1, E=info@zeroc.com, OU=Ice, O="ZeroC, Inc.", S=Florida, C=US
DNS names found in certificate: 127.0.0.1
IP addresses found in certificate: 127.0.0.1
-- 2016-09-12 17:09:27:931 client.exe: Network: ssl connection established
local address = 172.17.7.171:55552
remote address = 172.17.7.162:10001
-- 2016-09-12 17:09:27:933 client.exe: Security: SSL connection summary
local address = 172.17.7.171:55552
remote address = 172.17.7.162:10001
authenticated = yes
encrypted = yes
signed = yes
mutually authenticated = no
hash algorithm = Sha1/160
cipher algorithm = Aes256/256
key exchange algorithm = 44550/256
protocol = Tls
-- 2016-09-12 17:09:27:937 client.exe: Network: closing ssl connection

I think that "mutually authenticated = no" is important,

The Zeroc Test CA certificate is properly installed in the trusted root authorities store. The same demo runs correctly on a similar machine. Moreover, the client application running on the "wrong" host is able to successfully connect to the server running on the "good" machine.The problem is therefore related to the server side. What can cause this problem? I am guessing that some environmental settings - but which? How to solve it?

I would be grateful for hints.

Best regards,
Łukasz Czekierda

Comments

  • xdm
    xdm La Coruña, Spain

    Hi,

    -- 2016-09-12 17:09:22:944 server.exe: Security: SSL certificate validation failed - client certificate not provided
    

    This means the server expect a certificate from the client but one is not provided. That behavior is configurable setting IceSSL.VerifyPeer property see https://doc.zeroc.com/pages/viewpage.action?pageId=14031637#IceSSL.*-IceSSL.VerifyPeer

    What is the IceSSL client and server configurations and what Ice version are you using?

  • Hi,
    EXACTLY the same code (including the configuration) was run on both hosts (but the behaviour was different). It was the original zeroc's hello example (democs\Ice\hello) with no changes. Ice 3.5. In the demo both sides verify each other and this is what I require in my application (VerifyPeer had the default value 2)

  • xdm
    xdm La Coruña, Spain

    The log you posted clearly indicates that the client doesn't provide a certificate. It is not clear what is the good/wrong machine setup you describe. You must also check the system logs in case there is something there, but I suspect the client configuration is wrong.

    You should probably try to upgrade to 3.6 it has many IceSSL improvements, review the release notes