Using SSL and SslStream for peer to peer authentication?

by

Step 1: Generating a self-signed certificate:

  • I downloaded the Certificate.cs class posted by Doug Cook

  • I used this code to generate a .pfx certificate file:

    byte[] c = Certificate.CreateSelfSignCertificatePfx(
        "CN=yourhostname.com", //host name
        DateTime.Parse("2000-01-01"), //not valid before
        DateTime.Parse("2010-01-01"), //not valid after
        "mypassword"); //password to encrypt key file

    using (BinaryWriter binWriter = new BinaryWriter(
        File.Open(@"testcert.pfx", FileMode.Create)))
    {
        binWriter.Write(c);
    }

Step 2: Loading the certificate

    X509Certificate cert = new X509Certificate2(
                            @"testcert.pfx", 
                            "mypassword");

Step 3: Putting it together

  • I based it on this very simple SslStream example
  • You will get a compile time error about the SslProtocolType enumeration. Just change that from SslProtocolType.Default to SslProtocols.Default
  • There were 3 warnings about deprecated functions. I replaced them all with the suggested replacements.

  • I replaced this line in the Server Program.cs file with the line from Step 2:

    X509Certificate cert = getServerCert();

  • In the Client Program.cs file, make sure you set serverName = yourhostname.com (and that it matches the name in the certificate)

  • In the Client Program.cs, the CertificateValidationCallback function fails because sslPolicyErrors contains a RemoteCertificateChainErrors. If you dig a little deeper, this is because the issuing authority that signed the certificate is not a trusted root.
  • I don`t want to get into having the user import certificates into the root store, etc., so I made a special case for this, and I check that certificate.GetPublicKeyString() is equal to the public key that I have on file for that server. If it matches, I return True from that function. That seems to work.

Step 4: Client Authentication

Here’s how my client authenticates (it’s a little different than the server):

TcpClient client = new TcpClient();
client.Connect(hostName, port);

SslStream sslStream = new SslStream(client.GetStream(), false,
    new RemoteCertificateValidationCallback(CertificateValidationCallback),
    new LocalCertificateSelectionCallback(CertificateSelectionCallback));

bool authenticationPassed = true;
try
{
    string serverName = System.Environment.MachineName;

    X509Certificate cert = GetServerCert(SERVER_CERT_FILENAME, SERVER_CERT_PASSWORD);
    X509CertificateCollection certs = new X509CertificateCollection();
    certs.Add(cert);

    sslStream.AuthenticateAsClient(
        serverName,
        certs,
        SslProtocols.Default,
        false); // check cert revokation
}
catch (AuthenticationException)
{
    authenticationPassed = false;
}
if (authenticationPassed)
{
    //do stuff
}

The CertificateValidationCallback is the same as in the server case, but note how AuthenticateAsClient takes a collection of certificates, not just one certificate. So, you have to add a LocalCertificateSelectionCallback, like this (in this case, I only have one client cert so I just return the first one in the collection):

static X509Certificate CertificateSelectionCallback(object sender,
    string targetHost,
    X509CertificateCollection localCertificates,
    X509Certificate remoteCertificate,
    string[] acceptableIssuers)
{
    return localCertificates[0];
}

More Related Contents:

  1. Using a self-signed certificate with .NET’s HttpWebRequest/Response
  2. bypass invalid SSL certificate in .net core
  3. How to set read permission on the private key file of X.509 certificate from .NET
  4. Could not establish trust relationship for SSL/TLS secure channel — SOAP
  5. How to ignore the certificate check when ssl
  6. Which TLS version was negotiated?
  7. How can I send emails through SSL SMTP with the .NET Framework?
  8. C# Ignore certificate errors?
  9. What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?
  10. Generate a self-signed certificate on the fly
  11. The client and server cannot communicate, because they do not possess a common algorithm – ASP.NET C# IIS TLS 1.0 / 1.1 / 1.2 – Win32Exception
  12. The request was aborted: Could not create SSL/TLS secure channel
  13. How to use a client certificate to authenticate and authorize in a Web API
  14. The remote certificate is invalid according to the validation procedure [duplicate]
  15. Associate a private key with the X509Certificate2 class in .net
  16. How to ignore a certificate error with c# 2.0 WebClient – without the certificate
  17. Enable SSL in Visual Studio
  18. Can connect to FTP using FileZilla or WinSCP, but not with FtpWebRequest or FluentFTP
  19. Check ssl protocol, cipher & other properties in an asp.net mvc 4 application
  20. how to enable TLS 1.3 in windows 10
  21. Is current request being made over SSL with Azure deployment
  22. Requesting html over https with c# Webclient
  23. Which versions of SSL/TLS does System.Net.WebRequest support?
  24. Accessing uploaded certificates in azure web sites
  25. Could not create SSL/TLS secure channel, despite setting ServerCertificateValidationCallback
  26. SSLStream example – how do I get certificates that work?
  27. Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?
  28. Can I reuse HttpWebRequest without disconnecting from the server?
  29. Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?
  30. Using Protobuf-net, I suddenly got an exception about an unknown wire-type

Leave a Comment