开发者

Client/Server Authentication with SSLStream

I have a client and server application which use SSLStream to communicate over port 80. Both the client and the server are running as Windows Services.

Everything works in my test environment (my development computer, under the OS Windows 7 Ultimate). My problem is that when I go to deploy the client and server application to their deployment environments (the server being on Windows Server 2008, and the client being on Windows Server 2003) it does not work, and I get the error: "The client and server cannot communicate, because they do not possess a common algorithm" Please note that I have installed the same certificate using the makecert commands (listed in the "Firstly" section below)

In addition, when I gave up on trying to get the client to authenticate under the Windows Server 2003 computer, I moved it to a completely new/different Windows Server 2008 computer.. and then got a new error along the lines of "credentials supplied to package not recognized."

If you have any experience with this issue, please advise. I have been working on this for the past 3 days and have burnt up over 20 hours of development time. Please remember, the problem keeps happening when the Server and Client attempt to authenticate.

Firstly, I used the following commands via makecert.exe to generate self-signed (?) X509 Certificates:

- makecert -n "CN=Transcert" -r -sv Transcert.pvk Transcert.cer
- makecert -sk Transcert -iv Transcert.pvk -n "CN=Transcert" -ic Transcert.cer Transcert.cer -sr LocalMachine -ss Root 

(Please note, I used the Store Location 'LocalMachine' because it is my understanding that Windows Services use this Store location through the LocalSystem account, i may be wrong?)

S开发者_StackOverflow社区econdly, On the Server, I retrieve the Certification from the Store by the following code:

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509CertificateCollection cert = store.Certificates.Find(X509FindType.FindBySubjectName, "Transcert", false);
if (cert.Count > 0)
{
  return cert[0];
}

Thirdly, On the Server, I start listening for TCP Clients on port 80:

public virtual void StartListening()
{
  sslServer = new TcpListener(HostPort);

  sslServer.Start();

  AcceptClientThread = new Thread(new ThreadStart(AcceptClientThread_Run));
  AcceptClientThread.Start();
}

private void AcceptClientThread_Run()
{
  try
  {
    TcpClient client = sslServer.AcceptTcpClient();

    ProcessNewClient(client);
  }
  catch (Exception ex)
  {

  }

  AcceptClientThread_Run();
}

Fourthly, On the Server, I prepare the code to process when a client connects:

  SslClient = pSslClient;
  SSLCertificate = pSSLCertificate;

  _SslStream = new SslStream(SslClient.GetStream());
  _SslStream.AuthenticateAsServer(SSLCertificate, false, SslProtocols.Tls, false);

  Output = new StreamWriter(_SslStream);
  Output.AutoFlush = true;
  Input = new StreamReader(_SslStream);

  ReadThread = new Thread(new ThreadStart(ReadIncomingData));
  ReadThread.Start();

Finally, On the Client, I prepare the code for connecting the Client to the Server:

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;

    sslClient = new TcpClient();
    sslClient.Connect(HostAddress, HostPort);

    //ServicePointManager.ServerCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };

    sslStream = new SslStream(sslClient.GetStream(), false, new RemoteCertificateValidationCallback(CertificateValidationCallback));
    sslStream.AuthenticateAsClient("Trancert");

    showSslInfo(HostAddress, sslStream, true);

-- Above is everything I have available in relation to this problem --


If the same code is working on one machine and not on the other, with the same server certificate, then I would double-check that the private key was imported correctly along with the server certificate on the second machine.

Look at the certificate's properties in the Certificate Manager MMC snap-in, and you should see the tiny key icon next to, "You have a private key that corresponds to this certificate."

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜