Exception when trying to authenticate SSL connection

Asked

Viewed 384 times

0

On my client when trying to authenticate an SSL connection an exception of type is raised AuthenticationException. Errors found in the certificate are RemoteCertificateNameMismatchand RemoteCertificateChainErrors.

The code used to authenticate:

sslStream.AuthenticateAsClient(serverName);

How can I solve this exception?

c# sslstream

1 answer

0


Let’s divide the problem into parts.

Concerning the error RemoteCertificateNameMismatch, this is due to the fact that the name that should pass in the AuthenticateAsClient(...) is the server name. That is, if the server is the localhost, should pass that name in this way:

sslStream.AuthenticateAsClient("localhost");

If you are generating your own certificate, you must ensure that the name you pass to AuthenticateAsClient is the same as in "CN=[server name]".

Regarding the RemoteCertificateChainErrors, if it is generating its own certificate, the algorithm validating the certificate may not rely on its certificate as it is not in a safe location.

One way to solve the problem is to install the certificate in the Certificate store from your computer or use the following code (source: MSDN):

private static bool CertificateValidationCallBack(
     object sender,
     System.Security.Cryptography.X509Certificates.X509Certificate certificate,
     System.Security.Cryptography.X509Certificates.X509Chain chain,
     System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
  // If the certificate is a valid, signed certificate, return true.
  if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
  {
    return true;
  }

  // If there are errors in the certificate chain, look at each error to determine the cause.
  if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
  {
    if (chain != null && chain.ChainStatus != null)
    {
      foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
      {
        if ((certificate.Subject == certificate.Issuer) &&
           (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
        {
          // Self-signed certificates with an untrusted root are valid. 
          continue;
        }
        else
        {
          if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
          {
            // If there are any other errors in the certificate chain, the certificate is invalid,
         // so the method returns false.
            return false;
          }
        }
      }
    }

    // When processing reaches this line, the only errors in the certificate chain are 
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
    return true;
  }
  else
  {
 // In all other cases, return false.
    return false;
  }
}

This way, you can use certificates signed by you while you are developing/testing. To use this for validation:

SslStream stream = new SslStream(client.GetStream(), false, CertificateValidationCallBack);

Thus, when the stream the above method is used for checking.

  • when I made the certificate have no "CN=[server]"

  • if you are using Openssl, it is Common Name which it asks when it is generating the certificate. I edited the . bat code of its other question in order to eliminate the need to specify the names each time you run the script.

  • yes, I’m using what you gave me yesterday

  • as I put in Authenticateasclient() then the name?

  • if on the CN put localhost, the method gets AuthenticateAsClient("localhost");

  • Usercertificatevalidationcallback is a class with the Certificatevalidationcallback method?

  • nay, CertificateValidationCallBack is a method that you define in your program and then use in the Sslstream constructor (I apologize for any inconsistencies in the code, I will review it when I am at home).

  • I tidied up right here, my doubt is still about the CN, because in the case in bat you gave me yesterday did not have the "CN=[server name]"

  • Let us continue this Discussion in chat.

  • if not localhost, I can put only the correct machine name ?

  • @Enzotiezzi has to pass the name he put in the CN when he generated the certificate. If in the CN he put the name of the machine, then pass the name of the machine to the AuthenticateAsClient(...)

  • this CN, I put when opens the prompt to do the certificate?

Show 7 more comments

Browser other questions tagged c# sslstream

You are not signed in. Login or sign up in order to post.