Exception when trying to authenticate SSL connection

Question

Exception when trying to authenticate SSL connection

Asked 10 years ago

Viewed 384 times

0

On my client when trying to authenticate an SSL connection an exception of type is raised AuthenticationException. Errors found in the certificate are RemoteCertificateNameMismatchand RemoteCertificateChainErrors.

The code used to authenticate:

sslStream.AuthenticateAsClient(serverName);

How can I solve this exception?

1 answer

Browser other questions tagged c# sslstream

You are not signed in. Login or sign up in order to post.

by Omni • **6,077** points · Answer 1 · 2014-06-11T14:48:53+00:00

Let’s divide the problem into parts.

Concerning the error RemoteCertificateNameMismatch, this is due to the fact that the name that should pass in the AuthenticateAsClient(...) is the server name. That is, if the server is the localhost, should pass that name in this way:

sslStream.AuthenticateAsClient("localhost");

If you are generating your own certificate, you must ensure that the name you pass to AuthenticateAsClient is the same as in "CN=[server name]".

Regarding the RemoteCertificateChainErrors, if it is generating its own certificate, the algorithm validating the certificate may not rely on its certificate as it is not in a safe location.

One way to solve the problem is to install the certificate in the Certificate store from your computer or use the following code (source: MSDN):

private static bool CertificateValidationCallBack(
     object sender,
     System.Security.Cryptography.X509Certificates.X509Certificate certificate,
     System.Security.Cryptography.X509Certificates.X509Chain chain,
     System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
  // If the certificate is a valid, signed certificate, return true.
  if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
  {
    return true;
  }

  // If there are errors in the certificate chain, look at each error to determine the cause.
  if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
  {
    if (chain != null && chain.ChainStatus != null)
    {
      foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
      {
        if ((certificate.Subject == certificate.Issuer) &&
           (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
        {
          // Self-signed certificates with an untrusted root are valid. 
          continue;
        }
        else
        {
          if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
          {
            // If there are any other errors in the certificate chain, the certificate is invalid,
         // so the method returns false.
            return false;
          }
        }
      }
    }

    // When processing reaches this line, the only errors in the certificate chain are 
// untrusted root errors for self-signed certificates. These certificates are valid
// for default Exchange server installations, so return true.
    return true;
  }
  else
  {
 // In all other cases, return false.
    return false;
  }
}

This way, you can use certificates signed by you while you are developing/testing. To use this for validation:

SslStream stream = new SslStream(client.GetStream(), false, CertificateValidationCallBack);

Thus, when the stream the above method is used for checking.