Client Certificate Web Service Call

Question

I have a requirement to call server web service with client certificate. They have provided me one .crt file. I am hosting my project in WindowsServer2008 IIS7.

I install .crt from right click properties, as i can't add certificate to Server Certificates by Complete Certificate Request. I got the error:

CertEnroll::CX509Enrollment::p_InstallResponse: ANSI bad tag value met.

I googled and found nothing on how to install .crt client certificate. Also tried installing as explaining here on step4

And when i called like this

string certPath = Server.MapPath("../certificate/iot01.servername.crt");
X509Certificate2 cert = new X509Certificate2(certPath);
ws.ClientCertificates.Add(cert);
res = ws.methodName(params);

I got the error: System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.TlsStream.CallProcessAuthentication(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async) at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at .....

Is this is related to my certificate installing and calling. Can someone point me where am i gone wrong.

Answer 1

I believe its to do with your calling: the steps you should follow.

As a brute force method to get to the crux of your issue, do this:

Use a completely different new project to create code just to test the part about server authentication using the steps in your link you refer to as "here". This will allow you to not bundle up with other problems that can hinder your debugging capabilities.

However, as a quick check,

First Try Make sure to see if you do not require TLS instead rather than SSL by using EXPLICIT TLS connection instead:

Check any method in the connection object that starts TLS http://www.limilabs.com/blog/the-handshake-failed-due-to-an-unexpected-packet-format

client.Connect("mail.example.com"); 
client.StartTLS(); 

Or Try this https://social.msdn.microsoft.com/Forums/en-US/e8807c4c-72b6-4254-ae64-45c2743b181e/ssltls-the-handshake-failed-due-to-an-unexpected-packet-format-mercury-for-win32-pop3?forum=ncl

In your logging there seem to be four runs (processes 5068, 3984, 1628, and 7124)? Are the latter three working? Did you change something?

For 5068 at least, you are reading a response after sending the STLS command, but you're not reading the server's initial "i'm alive" line. See e.g. in wikipedia:

S: C: S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>

So you need to read that line, before you send the STLS command. You can see in 5068, that the SslStream gets the +OK B[egin SSL...] response instead of the SSL response.

Later: I see now what's occurring. In the other three runs the stream.Read operation is reading both response lines! So it's just luck whether it works or not.

For example, I wasn't printing both lines in my previous sample, printing both I now see:

D:\Temp>SslStartTest.exe -client2 localhost 110 resp: +OK <67051906.3308@alanjmcf.example.com>, POP3 server ready. resp: +OK Begin SSL/TLS negotiation... HandleLocalCertificateSelectionCallback HandleRemoteCertificateValidationCallback SslPolicyErrors: RemoteCertificateNameMismatch, RemoteCertificateChainErrors TLS session connected. :-) Cipher: TripleDes strength 168 Hash: Sha1 strength 160 Key exchange: RsaSign strength 1024 Protocol: Tls Is authenticated: True as server? False IsSigned: True Is Encrypted: True Certificate revocation list checked: False Local certificate is null. Remote cert was issued to CN=alanjmcf.example.com and is valid from 03/04/2009 1 0:47:40 until 29/03/2029 10:47:40. Can read: True, write True Can timeout: True ^C