Login/Register
SslStream: An unknown error occurred while processing the certificate
Asked Answered
c#sslsslstreamtls1.2
W

1

6

I'm trying to establish a TCP connection to a remote server using SslStream and TLS 1.2 protocol. The code is as follows:

_tcpClient.Connect(endPoint);

var certificate = new X509Certificate2(_settings.CertificateFilePath, _settings.CertificatePassword, X509KeyStorageFlags.MachineKeySet);
var certificates = new X509CertificateCollection { certificate };

_nStream = _tcpClient.GetStream();
_sslStream = new SslStream(_nStream, false,
    (o, x509Certificate, chain, errors) => true,
    (o, s, collection, x509Certificate, issuers) =>
    { return collection[0]; }
);

_sslStream.AuthenticateAsClient(_settings.HostIpAddress, certificates, SslProtocols.Tls12, true);
_sslStream.Write(someData, 0, someData.Length);

However, I'm getting an exception:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate

--- End of inner exception stack trace

at System.Net.Security.SslState.CheckThrow(Boolean authSucessCheck) at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count)

I enabled SChannel logging and found this in Windows event log:

The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted.

Then I enabled System.Net loggiing as described here and got this log (I removed some certificate data from it). It looks like the client certificate is OK but for some reason the log says Remote certificate: null although there is clearly some data sent back from the remote server that looks very much like a certificate. And at the very end the log says returned code=CertUnknown. I've no idea where the problem might be (remote server certificate? my code? remote/local server settings?) and would appreciate any help.

Note: If I change my code to use SSL 3 by specifying SslProtocols.Ssl3 instead of SslProtocols.Tls12 everything works fine. But I really need to use TLS because that's what the remote server owner asks to do.

Worsley answered 26/10, 2015 at 8:12 Comment(5)
What kind of certificate you are using, is it a self signed certificate? Just try checking whether the .cer file is there in the TCP client cert store or not.Apuleius
The certificate is signed by the remote server owner. As I wrote in the question, if I change a single line of code (tls12 -> ssl2), everything works fine with the same certificate and all the other settings. So the certificate works fine with SSL. Why it won't work with TLS - I can't figure out for the life of me.Worsley
TLS is the successor of SSL. I think that TLS12 => TLS 1.2 is not enabled on server\client side. Please check in the registry as directed in the msdn for TLS 1.2 section. If its not there, than try enabling it and running the program again.Apuleius
TLS 1.2 is enabled on client side because I can see successful TLS 1.2 handshakes to other servers in SChannel event log on my machine. And it's definitely enabled on server side since the server successfully accepts TLS 1.2 connections from other clients.Worsley
System.Net logging description link broken. Was it something similar to this? techcommunity.microsoft.com/t5/iis-support-blog/…Pansy
V
0

We made our websockets server to use TLS 1.2.

Added manually "ws.SslConfiguration.EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12;" solved the issue.

Victim answered 11/5, 2021 at 15:2 Comment(1)
Welcome to Stack Overflow! Please don't add the same answer to multiple questions. Answer the best one and flag the rest as duplicates. See Is it acceptable to add a duplicate answer to several questions?Optical

© 2022 - 2024 — McMap. All rights reserved.