.NET SslStream is not working

Question

I am trying inialise a tls tunnel with the .net SslStream but after opening the stream I always get the following error:

"Unable to read data from the transport connection: An established connection was aborted by the software in your host machine."

After I establish a tls connection and after sending a second message.

I've been searching for an answer for the last four days but there isn't any helpful information online!

edit: I am trying to connect to talk.google.com

and I'm using the code sample from MSDN. Only difference is that I'm sending data before and when it is time to use tls i do the following:

public void SecureStream()
        {
        netStream.Flush();
        sslStream = new SslStream(netStream, false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null);

    sslStream.AuthenticateAsClient("talk.google.com");}

edit: I managed to eliminate the first error (small bug on how i was handling the send) now I always get

"Unable to read data from the transport connection: An established connection was aborted by the software in your host machine."

edit2: Im not sending any whitespaces I rewrote the message passing part and I still have the same problem.

I start with

   String streamInit = "<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='google.com' version='1.0'>";
        client.Send(streamInit);

Then on receive I have the following

  static void client_MessageReceived(SyncronousClient source, string Result)
    {


        if (Regex.IsMatch(Result, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"><required/></starttls>"))
        {
            String startTlS = "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>";
            source.Send(startTlS);

        }
        else if (Regex.IsMatch(Result, "<proceed xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"/>"))
        {
            //Do TLS Magic 
            source.SecureStream();
            String streamReInit = "<stream:stream xmlns='jabber:client'xmlns:stream='http://etherx.jabber.org/streams'to='google.com'version='1.0'>";
            source.Send(streamReInit);
        }
        else if (Regex.IsMatch(Result, "<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">"))
        {
            //String AuthType = "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='X-GOOGLE-TOKEN'/>";
            String AuthType = "<auth xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\" mechanism=\"PLAIN\"/>";
            source.Send(AuthType);
        }}

The problem could be anything. You need to be far more specific, providing code and information about the server you're trying to communicate with. — Jonathan, Jan 12 '11 at 22:31
When you say that "... is not working" it's 90% probability that's your fault. — Jakub Šturc, Jan 13 '11 at 18:21
im not saying its not my fault but im stuck and I cant find a way how to fix it.. — Marcom, Jan 13 '11 at 22:21

score 1 · Answer 1 · answered Jan 26 '11 at 09:53

It's unlikely to be your problem (unless .Net has started doing SNI under the covers), but when you call AuthenticateAsClient, pass in the same domain name that you used in your stream's to attribute (in this case, google.com). As well, you might need gmail.com instead of google.com:

sslStream.AuthenticateAsClient("gmail.com", null, SslProtocols.Tls, false);

As csharptest.net alluded to, make sure you don't have a keepalive timer that sends extra whitespace, or wait to start the timer until after TLS works. The only other way I can imagine your getting that error is if you don't have a ciphersuite that the server implements, but I know the .Net SslStream works against GTalk.

Lastly, use one of the existing .Net libraries for XMPP (there are 5 listed here), and you can start writing much more fun code right away. You're about to run into the inadequacies of the .Net XML system, and your regex-based approach won't work when you start getting partial stanzas or multiple stanzas in a single read.

I have used the other libraries, im trying to create a simple client from scratch to gain a better understaning of the protocol. I'm connecting to talk.google.com. When i change the authentication domain to gmail.com it I get a certification mismatch error. I don't have a timeout set, but even when I change it to a short or long time I am not getting a challenge response :/ — Marcom, Jan 27 '11 at 21:22
talk.google.com should work, but their SRV record points to `talk.l.google.com`. The name of the actual host you're connecting to is *not* the name to expect on the certificate, but instead the logical name of the service in the stream `to` address, which MUST be the same as the domain name in your user JID (gmail.com). Google's server should offer you a gmail.com cert if you set your stream `to` attribute to gmail.com. — Joe Hildebrand, Jan 28 '11 at 06:14

csharptest.net · Answer 2 · 2011-01-13T18:19:42.957

That really doesn't make sense to me. The server, if using SSL, requires that the client perform the SSL handshake upon connection. Thus, I'm not sure what you mean by "I'm sending data before...". It sounds like your not immediately calling the AuthenticateAsClient. If this is the case, I suspect that is your problem. AFAIK, you cannot use the same socket/connection connection for both SSL and non-SSL communications. Either the server requires SSL, or it does not support it, it should never do both.

My previous answer above was in ignorance. Indeed it appears that the standard does in fact require that the connect send and receive data prior to the initialization of the SSL handshake. Really odd that they would do that... but whatever. After briefly reading through parts of the RFC it appears that you are expected to begin the SSL client auth immediately after the closing '>'. No trailing whitespace allowed which may be your problem?

im trying to connect to a xmpp server. first you have to send some xml messages and then you have to negotiate a tls connection. I tried to set the leave inner stream open to false which i guess creates a new connection automatically but I have the same prob. — Marcom, Jan 13 '11 at 01:25
I dont seem to have any extra white space. The exception happens always after TLS is established and the second message is sent, while I am waiting for the SASL challenge — Marcom, Jan 18 '11 at 23:24

.NET SslStream is not working

2 Answers2