SslStream with client certificates

**Elkvis** · 02-12-2015

I'm having no luck getting client certificates working with my SslStream project. No matter what I do, I can't get it to actually use the client certificate, despite the fact that all certificates are valid and trusted, and I have imported the CA certificate for the ones I generated myself, and it just doesn't work. I must be missing something, but I've been over it dozens of times, reviewed documentation, examples, and hours of google searching, and I just can't get it to work. What am I doing wrong?

Client:

Code:

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;

namespace SslClient
{
    class SslClientProgram
    {
        static void Main(string[] args)
        {
            TcpClient client = new TcpClient("localhost", 443);

            SslStream stream = new SslStream(client.GetStream(), false, VerifyServerCertificate, null);

            Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
            string location = assembly.Location;
            int pos = location.LastIndexOf('\\');
            location = location.Substring(0, pos);
            X509Certificate2 certificate = new X509Certificate2(location + "\\my.client.certificate.pfx", "password");

            stream.AuthenticateAsClient("my.host.name", new X509Certificate2Collection(certificate), System.Security.Authentication.SslProtocols.Tls, false);

            StreamReader reader = new StreamReader(stream);
            StreamWriter writer = new StreamWriter(stream);

            while (true)
            {
                string line = System.Console.ReadLine();
                writer.WriteLine(line);
                writer.Flush();
                if (line == "close") break;
                line = reader.ReadLine();
                System.Console.WriteLine("Received: {0}", line);
            }

            stream.Close();
        }

        private static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            return true;
        }
    }
}

Server:

Code:

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net.Security;
using System.Net.Sockets;
using System.Reflection;
using System.Security.Cryptography.X509Certificates;
using System.Text;

namespace SslServer
{
    class SslServerProgram
    {
        static void Main(string[] args)
        {
            TcpListener server = new TcpListener(System.Net.IPAddress.Loopback, 443);

            server.Start();

            TcpClient client = server.AcceptTcpClient();

            SslStream stream = new SslStream(client.GetStream(), false, VerifyClientCertificate, null);

            Assembly assembly = System.Reflection.Assembly.GetExecutingAssembly();
            string location = assembly.Location;
            int pos = location.LastIndexOf('\\');
            location = location.Substring(0, pos);
            X509Certificate2 certificate = new X509Certificate2(location + "\\my.server.certificate.pfx", "password");

            stream.AuthenticateAsServer(certificate, false, System.Security.Authentication.SslProtocols.Tls, false);

            if (stream.RemoteCertificate != null)
            {
                System.Console.WriteLine(stream.RemoteCertificate.Subject);
            }
            else
            {
                System.Console.WriteLine("No client certificate.");
            }

            StreamReader reader = new StreamReader(stream);
            StreamWriter writer = new StreamWriter(stream);

            bool clientClose = false;
            while (!System.Console.KeyAvailable)
            {
                System.Console.WriteLine("Waiting for data...");
                string line = reader.ReadLine();
                System.Console.WriteLine("Received: {0}", line);
                
                if (line == "close")
                {
                    clientClose = true;
                    break;
                }

                writer.WriteLine(line);
                writer.Flush();
            }

            if (!clientClose) System.Console.ReadKey();

            stream.Close();
            server.Stop();
        }

        private static bool VerifyClientCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            return true;
        }
    }
}

The server always says "No client certificate."

**Elkvis** · 02-16-2015

Seeing no responses, I have posted it as a question on StackOverflow.

**itsme86** · 02-17-2015

Yeah, sorry. I have no experience with this.

**arpsmack** · 02-18-2015

This might be silly, but it looks like you're passing false for the clientCertificateRequired parameter to stream.AuthenticateAsServer. Shouldn't you be passing true?

This guy has some sample code up on codeproject: Downloads: An Introduction to Mutual SSL Authentication - CodeProject It looks like he's passing true for that param, otherwise I think his socket code looks pretty similar to yours.

**Elkvis** · 02-18-2015

Originally Posted by arpsmack

This might be silly, but it looks like you're passing false for the clientCertificateRequired parameter to stream.AuthenticateAsServer. Shouldn't you be passing true?

If I pass true, it just throws exceptions, because there is no client certificate. When it's false, it still allows a client certificate, but doesn't require it.

Originally Posted by arpsmack

This guy has some sample code up on codeproject: Downloads: An Introduction to Mutual SSL Authentication - CodeProject It looks like he's passing true for that param, otherwise I think his socket code looks pretty similar to yours.

I downloaded and tried out the code from that article, and it did exactly the same thing. No client certificate was used, even though it was specified. I'm really starting to think that the advertised client certificate support in .Net is entirely fictional.

**phantomotap** · 02-18-2015

If I pass true, it just throws exceptions, because there is no client certificate.

When it's false, it still allows a client certificate, but doesn't require it.

I'm really starting to think that the advertised client certificate support in .Net is entirely fictional.

O_o

I admit that I don't do C# programming, but I keep seeing this pop up so I thought I'd take a look.

I do not know the source of the problem, but I wonder if you've tried the obvious conditional approach.

Code:

try
{
    stream.AuthenticateAsServer(certificate, true, System.Security.Authentication.SslProtocols.Tls, false);
}
catch(...) // I don't know the C# version of a generic `catch' block.
{
    stream.AuthenticateAsServer(certificate, false, System.Security.Authentication.SslProtocols.Tls, false);
}

Soma

**Elkvis** · 02-18-2015

It turns out I was wrong. If that parameter is false, it ignores client certificates altogether. I got it to work by changing it to true. Oddly enough, that didn't seem to work before, although there may have been other things I was doing wrong at that time.

Thread: SslStream with client certificates

Thread Tools

Search Thread

Display

SslStream with client certificates

Similar Threads

System.Net.Security.SslStream closes improperly

Client/server problem; server either stops receiving data or client stops sending

Digital Certificates - Vista

FTP Client

Certificates??