6

I'm trying to establish a TCP connection to a remote server using SslStream and TLS 1.2 protocol. The code is as follows:

_tcpClient.Connect(endPoint);

var certificate = new X509Certificate2(_settings.CertificateFilePath, _settings.CertificatePassword, X509KeyStorageFlags.MachineKeySet);
var certificates = new X509CertificateCollection { certificate };

_nStream = _tcpClient.GetStream();
_sslStream = new SslStream(_nStream, false,
    (o, x509Certificate, chain, errors) => true,
    (o, s, collection, x509Certificate, issuers) =>
    { return collection[0]; }
);

_sslStream.AuthenticateAsClient(_settings.HostIpAddress, certificates, SslProtocols.Tls12, true);
_sslStream.Write(someData, 0, someData.Length);

However, I'm getting an exception:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate

--- End of inner exception stack trace

at System.Net.Security.SslState.CheckThrow(Boolean authSucessCheck) at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count)

I enabled SChannel logging and found this in Windows event log:

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted.

Then I enabled System.Net loggiing as described here and got this log (I removed some certificate data from it). It looks like the client certificate is OK but for some reason the log says Remote certificate: null although there is clearly some data sent back from the remote server that looks very much like a certificate. And at the very end the log says returned code=CertUnknown. I've no idea where the problem might be (remote server certificate? my code? remote/local server settings?) and would appreciate any help.

Note: If I change my code to use SSL 3 by specifying SslProtocols.Ssl3 instead of SslProtocols.Tls12 everything works fine. But I really need to use TLS because that's what the remote server owner asks to do.

Konamiman
  • 49,681
  • 17
  • 108
  • 138
holdenmcgrohen
  • 1,031
  • 2
  • 9
  • 30
  • What kind of certificate you are using, is it a self signed certificate? Just try checking whether the .cer file is there in the TCP client cert store or not. – Divyesh Sharma Oct 26 '15 at 08:28
  • The certificate is signed by the remote server owner. As I wrote in the question, if I change a single line of code (tls12 -> ssl2), everything works fine with the same certificate and all the other settings. So the certificate works fine with SSL. Why it won't work with TLS - I can't figure out for the life of me. – holdenmcgrohen Oct 26 '15 at 08:44
  • TLS is the successor of SSL. I think that TLS12 => TLS 1.2 is not enabled on server\client side. Please check in the registry as directed in the [msdn](https://technet.microsoft.com/en-in/library/dn786418.aspx) for TLS 1.2 section. If its not there, than try enabling it and running the program again. – Divyesh Sharma Oct 26 '15 at 09:27
  • TLS 1.2 is enabled on client side because I can see successful TLS 1.2 handshakes to other servers in SChannel event log on my machine. And it's definitely enabled on server side since the server successfully accepts TLS 1.2 connections from other clients. – holdenmcgrohen Oct 27 '15 at 18:55

1 Answers1

0

We made our websockets server to use TLS 1.2.

Added manually "ws.SslConfiguration.EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12;" solved the issue.

vinny james
  • 36
  • 1
  • Welcome to Stack Overflow! Please don't add [the same answer](https://stackoverflow.com/a/67489309/1324) to multiple questions. Answer the best one and flag the rest as duplicates. See [Is it acceptable to add a duplicate answer to several questions?](http://meta.stackexchange.com/q/104227/347985) – Paul Roub May 11 '21 at 15:09