TLS 1.2 Client Certificate Authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS 1.2 Client Certificate Authentication

ashr

Hi guys,

I've been trying to connect to a threat repository to suck intel feeds down with Mono. The interface use a client certificate and basic auth to validate the connection.

I've played with mono versions from the version that comes with Xenial, all the way through to Mono JIT compiler version 5.0.1.1. The furthest I've come was on the latest version, I can see it at least tries to speak TLS 1.2, but something goes wrong before the Client Key Exchange, (so I'm  guessing the Server Key exchange fails, wild guess from wireshark caps, I'm not an expert in SSL handshakes).


This is the code I'm using to set this connection up:https://pastebin.com/Ei3bsjdF

* The MyRemoteCertificateValidationCallback validates the server cert without error and Mono seems to add the client certificate to the request just fine as well.

A paste with the error that occurs during runtime (SecureChannelFailure (Syscall)): https://pastebin.com/sUXQf9KF

Screenshot of wireshark cap of the connection process: https://imagebin.ca/v/3UjPy99nEI94

Screenshot of a wireshark cap of a working connection through python (Using the same client side certificate connecting to same backend): https://imagebin.ca/v/3UjQdz43jKSQ


When I get some time tonight and during the weekend, I'll try set up a server with client side auth and test it locally as well, but if any of you gurus have an idea of what is going wrong or how to troubleshoot further, please let me know ?


Many thanks

ash


_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS 1.2 Client Certificate Authentication

Mirco Bauer
Hi,

since I had troubles with getting client certificate auth to work, I wonder if you have the same issue. Have you implemented the certificate selection? Otherwise it will not send the certificate, see:
https://github.com/meebey/SmartIrc4net/commit/6fe9baba17a2f050cd792f6b452feffa91a9bf9f

Best regards,

Mirco (meebey) Bauer

FOSS Hacker             [hidden email]  https://www.meebey.net/
Debian Developer        [hidden email]  http://www.debian.org/
GNOME Foundation Member [hidden email] http://www.gnome.org/
CTO @ Gatecoin Ltd.     [hidden email] https://gatecoin.com/
.NET Foundation Advisory Council Member    http://www.dotnetfoundation.org/
PGP-Key ID              0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc


On Thu, Jul 27, 2017 at 8:50 PM, ashr <[hidden email]> wrote:

Hi guys,

I've been trying to connect to a threat repository to suck intel feeds down with Mono. The interface use a client certificate and basic auth to validate the connection.

I've played with mono versions from the version that comes with Xenial, all the way through to Mono JIT compiler version 5.0.1.1. The furthest I've come was on the latest version, I can see it at least tries to speak TLS 1.2, but something goes wrong before the Client Key Exchange, (so I'm  guessing the Server Key exchange fails, wild guess from wireshark caps, I'm not an expert in SSL handshakes).


This is the code I'm using to set this connection up:https://pastebin.com/Ei3bsjdF

* The MyRemoteCertificateValidationCallback validates the server cert without error and Mono seems to add the client certificate to the request just fine as well.

A paste with the error that occurs during runtime (SecureChannelFailure (Syscall)): https://pastebin.com/sUXQf9KF

Screenshot of wireshark cap of the connection process: https://imagebin.ca/v/3UjPy99nEI94

Screenshot of a wireshark cap of a working connection through python (Using the same client side certificate connecting to same backend): https://imagebin.ca/v/3UjQdz43jKSQ


When I get some time tonight and during the weekend, I'll try set up a server with client side auth and test it locally as well, but if any of you gurus have an idea of what is going wrong or how to troubleshoot further, please let me know ?


Many thanks

ash


_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list



_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Loading...