-1

I'd like to ask for explanation. I am using X.509 certificate, and when I tried to post my data to a webservice which I want to communicate with, I am getting the following error: "

No client certificate was presented during SSL Handshake

can you please explain me what is the issue?

NB: I am using .NET Framework 3.5 / C#

What I did exactly is: First I imported the certificate into the store, then I used the code below in order to find it and then recieve the token (using AskForToken function). However, when I send with my data, I got handshake failure.

My first question is why I succeed to get token (if I am not mistaken, the client (which is my application) sent the certificate to the server and got the token, which means the connection has been done well)?

My second question, what do I have to change or check to get rid of this handshake failure.

private static string RequestSecurityToken()
        {
            WSTrustChannelFactory trustChannelFactory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(
                        new CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                        new EndpointAddress(new Uri(stsAddress)));

            trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;

            string thumb = "fe14593dd66b2406c5269d742d04b6e1ab03adb1";
            trustChannelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, thumb);
            trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
            cert = trustChannelFactory.Credentials.ClientCertificate.Certificate;

            var tokenString = AskForToken(serviceURL, trustChannelFactory);
            trustChannelFactory.Close();
            return tokenString;
        }
R.You
  • 565
  • 3
  • 15

2 Answers2

0

During an SSL handshake, the client presents it's public key to the other party, which apparently is not happening.

I'm not a C# programmer so I can't present you with the code. But you need to create an SSL keypair (private + public key pair) and use it to define your SSL sockets etc.

Aurangzeb
  • 1,537
  • 13
  • 9
0

SSL has a possibility to demand client authentification. So the Client (your application) has to send a certificate that the Server trusts before the connection is established. It seems that this client authentification fails, because your application doesn´t send such a certificate.

Depending on the webservice you try to use it won´t be possible to create such a certificate, because the server only trusts application from e.g. a certain company.

DerKasper
  • 167
  • 2
  • 11
  • thank you @DerKasper for your answer, as you can see in the code I am sending the certificate. any thoughts what the problem may be. Thank you – R.You Mar 02 '16 at 16:16
  • @R.You: I don´t knwo how the ChannelFactory works, just how ssl works, but my approach would be: - first check if not only your code sends the cert, but it is really sent from your PC. Use Wireshark (with filter for ssl) for that you should find a message from the server with a Certificate Request and should find the client sending a certificate. If a certificate is send, then the problem is not in the application but in the server, which rejects your certificate. The server would have to be changed so that he accepts your certificate. Can you connect to ther server from any application? – DerKasper Mar 03 '16 at 11:30
  • Thank you @DerKasper, unfortunately I can't connect to the server from any application. I used Wireshark as you recommanded, and it catched a sequence of exchanges as follow: 1) _**Client Hello**_ 2) _**Server Hello**_ 3) _**Certification**_ 4) _**Certificate Request, Server Hello Done**_ 5) _**Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message**_ 6) _**Change Cipher Spec, Encrypted Handshake Message**_. can you please explain what does it mean? will it help to fix my issue? – R.You Mar 03 '16 at 12:28
  • That means the SSL-Handshake is done correctly & your code seems to work fine. The problem is: The server doesn´t trust you / rejects your application-certificate. You don´t have the rights to use the webservice (client authentification protects the service to be used by everybody). If you don´t have access to the server (to add your certificate to the list of trusted certificates) or any client certificate that is accpected by the server you will not be able to establish a connection. Sry seems you try to use a service you are not allowed to use and there will be no way to fix your problem. – DerKasper Mar 03 '16 at 12:58
  • Thank you @DerKasper for your help, it's fixed now...The problem was at the server' side, I don't know what they changed at their side that's why I can't confirm what the issue was exactly, but I think as you said they just authorized my cert. – R.You Mar 17 '16 at 14:40