Login/Register
2 Way SSL - Client Certificate Not Sent To Server
Asked Answered
Solved sslwiresharkvisualforceclient-certificatesforce.com
H

3

7

I'm have an application deployed to salesforce on the force.com platform, which I'm trying to configure a 2 way SSL for.

I.e. I want that for each request sent to from SF to my server, a client certificate will be sent.

I did the necessary configurations on SF for the certificate to be sent, but I'm still getting 403.7 from the server, which means: forbidden, client certificate required.

I installed wireshark on the server, captured traffic to see the 2 way ssl handshake, and I'm trying to find in the server hello message where it tells the client the trusted CAs from which a client certificate should correspond, but I'm having difficulties finding it. I suspect that's why the client does not send the certificate.

Can anyone point me to where in the server hello I should look? Or perhaps in another packet capture?

Thanks in advance.

enter image description here

Client Key Exchange record:

enter image description here

Haircut answered 25/1, 2015 at 9:23 Comment(2)
Look for a certificate request message from the server. If there is none the client will not send any certificate. See also devcentral.f5.com/articles/….Fedak
Added a screenshot of the handshake captures. can you please point me to where I should be looking?Haircut
F
7

Added a screenshot of the handshake captures. can you please point me to where I should be looking? –

See packet #31. It contains the Certificate Request. Also packet #33 contains the certificate from the client, so the reason is not the client does not send the certificate, but instead that the server either does not like the certificate because the validation failed or because the certificate is not sufficient as authorization for the requested resource. You might get more information from the servers log.

Fedak answered 25/1, 2015 at 10:21 Comment(4)
Please see the additional screen shot I added, referring to the client key exchange. It shows the certificate length is 0, That's why I assume this is supposed to be a certificate message, but the certificate is not included in it. Am I wrong?Haircut
Thanks, found what I was looking for in record 31 under HandshakeProtocol\Distinguished namesHaircut
@Y.S, Could you let me know what/how did u solve the issue ? I am also facing the same issue. I am using openSSL with selfsigned certificates in pem format. but i am getting the following error. SSL_CTX_use_certificate_file failed [0,error:0906D06C:PEM routines:PEM_read_bio:no start line]Martica
@scooby: your question is unrelated here. if you need help ask a new question. Hint: your certificate file has not the expected format.Fedak
V
8

Here, the server sends its Certificate Request message and the client sends its Certificate message in response, but that message contains 0 certificates.

Typically, this happens when the client was unable to select a client certificate to use. Either it's not configured properly to make use of any certificate, or it can't find one that is issued by one of the acceptable CAs.

Look at the Certificate Request packet and check its certificate_authorities list. This is a list of the CA Distinguished Names (DNs) that the server is willing to accept.

One way or another, the client will need to find a client certificate with which it can build a chain towards of those DNs. In the simplest case, a client certificate issued by such a DN is available. Otherwise, the client could have to build a chain from a client cert to such a DN, it would need to have the necessary intermediate CA certificates to do so. (How this is done depends on the client's configuration mechanisms.)

If intermediate CA certificates are necessary and not available on the client side, you may need to configure your server to accept them and advertise them in the Certificate Request too.

Valverde answered 5/3, 2015 at 1:3 Comment(3)
What if the server does not include a certificate_authorities list in it's Certificate Request? I am having trouble with Amazon AWS IoT. They don't even publish any CA or intermediate certifiactes the client certificates are signed with.Hurleigh
We have stuck on same issue. Certificates Length is zero as mentioned above. Is there a way to force to send our client certificate to the server ?Exeunt
Is this Certificate Request only sent in 2 way SSL? or also in 1 way SSL? Thanks.Speedy
F
7

Added a screenshot of the handshake captures. can you please point me to where I should be looking? –

See packet #31. It contains the Certificate Request. Also packet #33 contains the certificate from the client, so the reason is not the client does not send the certificate, but instead that the server either does not like the certificate because the validation failed or because the certificate is not sufficient as authorization for the requested resource. You might get more information from the servers log.

Fedak answered 25/1, 2015 at 10:21 Comment(4)
Please see the additional screen shot I added, referring to the client key exchange. It shows the certificate length is 0, That's why I assume this is supposed to be a certificate message, but the certificate is not included in it. Am I wrong?Haircut
Thanks, found what I was looking for in record 31 under HandshakeProtocol\Distinguished namesHaircut
@Y.S, Could you let me know what/how did u solve the issue ? I am also facing the same issue. I am using openSSL with selfsigned certificates in pem format. but i am getting the following error. SSL_CTX_use_certificate_file failed [0,error:0906D06C:PEM routines:PEM_read_bio:no start line]Martica
@scooby: your question is unrelated here. if you need help ask a new question. Hint: your certificate file has not the expected format.Fedak
L
1

Not sure if this will help anyone else, but for our case of this issue everything was working when running locally in Visual Studio and in IIS, but when deployed to a real server, we were hitting a certificate issue during 2-way SSL as described above and verified in Wireshark.

Anyway, on that server we have also have a .NET 4.7.2 Console application which was calling the same API and everything was working fine.

But, our .NET 4.7.2 web API calls were failing. It appears that when the same code was running inside IIS the cert was not available during the SSL negotiation. (although it loaded fine)

Our solution at this point was to modify the following call to include the 3rd parameter.

certificate = new X509Certificate2(certificatepath, Password, X509KeyStorageFlags.MachineKeySet);

By default X509Certificate2 uses the UserKeySet option, so perhaps the application pool user or another thread in IIS (?) was having trouble accessing the cert for the negotiation.

Here are a couple of the related pages that I found useful during my research:

Lapse answered 21/9, 2020 at 18:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.