0

I am trying to implement a a client library in C# to communicate with a tomcat server. The authentication should be done by using a Feitian epass2003 token with a X.509 certificate inside mutual SSL authentication in a windows client.

However i am having a bad time cause everytime I run the client windows requests the token password in order to proceed the operation which is a overkill to the user and not acceptable.

I would like to know if its possible to dismiss this request and add it in some way in the code. Or if there is other way to use the token without using the windows cert manager.

this is how I am extending the connector: 

 class WebClientEx : WebClient
 { 
     public int Timeout { get; set; }

     public X509Certificate certificate { get; set; }

     protected override WebRequest GetWebRequest(Uri address)
     {
         ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
         ServicePointManager.Expect100Continue = true;
         ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
         HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
         request.Credentials = CredentialCache.DefaultCredentials;
         request.AuthenticationLevel = AuthenticationLevel.MutualAuthRequested;
         request.ClientCertificates.Add(this.certificate);
         request.Timeout = this.Timeout;
         return request;
     }
...
}

This is an example how I am connecting to my server: 

byte[] certificate = getCertificate("autenticacao"); // Get certificate from token

 X509Certificate cert = new X509Certificate(certificate);

 var post = new NameValueCollection();
 post["test"] = "1";

 using (var wb = new WebClientEx(cert))
 {
     try
     {
         wb.Timeout = 30000;
         var response = wb.UploadValues("https://localhost:8443", "POST", post);
         Console.WriteLine("Done.");
     }
     catch (WebException e)
     {
         // Handle WebException
     }
 }

This is windows request screen: enter image description here

Best regards,

leppie
  • 115,091
  • 17
  • 196
  • 297
Winter
  • 1,896
  • 4
  • 32
  • 41

1 Answers1

0

TLS allows for session reuse using a session ticket. See RFC5077 Transport Layer Security (TLS) Session Resumption without Server-Side State, read Speeding up SSL: enabling session reuse. Server support varies. Afaik the .Net Framework client side support is, basically, none. See TLS/SSL and .NET Framework 4.0.

Hardware modules do not allow the private key to ever leave the module and the PIN is required on each access. So if the TLS handshake requires the key, then the PIN dialog is unavoidable, your only chance is to try avoiding the private key requirement, and that is only doable with reusable TLS session tickets, afaik.

You may reconsider the mutual TLS requirement on each access. Access one resource (ie. login page), get an access ticket (cookie) then use this on authenticating accessing the rest of the resources.

PS. SSL is a no-option, been obsolete for years everybody talks about TLS nowadays.

Community
  • 1
  • 1
Remus Rusanu
  • 288,378
  • 40
  • 442
  • 569
  • Is it not possible to use the pkcs11 interface in the https connector ? I already implemented using pcks11 a way to init the token without the necessity of the pin dialog since I start the token in the code itself. – Winter Dec 11 '14 at 15:29