On Windows 7Pro, I have a secure socket client app using schannel.
Connecting to a secure server with TLSV1.0, 1.1 and 1.2, without client authentication works fine.
Connecting to a secure server with TLSV1.0, 1.1, with client authentication works fine.
A connection with client authentication with TLSV1.2 fails. Instead of replying with handshake certificate, the client replies with 3 TLS records: Client Key exchange-Cipher change spec-Client key exchange. As the server does not receive the client's certificate, it aborts the connection.
The client's certificate has an intermediate and trusted root ca. In all cases AcquireCredentialsHandle is called with
SCH_CRED_NO_DEFAULT_CREDS|SCH_CRED_MANUAL_CRED_VALIDATION|SCH_CRED_NO_SERVERNAME_CHECK,
and InitializeSecurityContext with (among others)
ISC_REQ_MANUAL_CRED_VALIDATION and ISC_REQ_USE_SUPPLIED_CREDS.
Do I need to treat client authentication differently for TLS V1.2?
Related
I have been trying to write a program that is a websocket client connecting to a wss (tls websocket) endpoint. The problem I am having is that I am getting a bad handshake. What all certificate do I need to create a tls connection? I am asking language non specific just mean general authentication needed and possibly how to generate the files.
From my browser I want to communicate to localhost application using ssl. Here browser(which acts as client) will submit the certificate instead of localhost application(which acts as server). Can Ssl be established in this scenario? So finally it boils down to problem statement can a ssl communication be established by server validating the client certificate and client not validating the server certificate.
The SSL/TLS implementation inside the browser do not support this scenario. A server certificate is always required by the browser with SSL/TLS in order to be sure that the browser is communicating with the expected server (as specified in the URL) and not some man in the middle. Apart from that it is not clear what you want to achieve with such a setup in the first place - maybe there is a better design for your unknown use case.
If a SSL SMTP server requires a STARTTLS command to be used (java mail property: mail.smtp.starttls.required), do we also need to enable Plaintext Authentication over TLS?
I'm not sure exactly what you mean by "plaintext authentication over TLS".
If the server requires STARTTLS, a plain text (non-SSL) connection is made to the server, TLS (SSL) is started on the connection, and then authentication is done. Authentication can use any authentication mechanisms supported by both client and server, including the PLAIN authentication mechanism.
Getting below error
Http Action - Request to host 'sipoc.cloudapp.net' failed: TrustFailure The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
while invoking below WCF RestService on https from Azure scheduler service GET job.
below is the webservice URL
https://sipoc.cloudapp.net/Service1.svc/GetPlayersXMl
Service URL is working fine.
Any help would be appreciated.
If I browse to the URL provided it indicates that the SSL certificate is not trusted.
"The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website has expired or is not yet valid. "
Scheduler jobs will fail as it can't trust the endpoint. You can either use a trusted certificate or just use HTTP (instead of HTTPS).
Although I would never recommend this in production unless you know the cert is valid (i.e. self signed), you can override the default behavior and confirm that the cert is good.
Below is a sample on how to do it in C#. There are a couple of ways to write it. The advantage here is that it remains SSL encrypted (versus falling back to HTTP).
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
I'm using SMTP transport. I would like to use TLS but my hosting has self-signed certificate.
It is possible to use TLS in such situation?
TLS itself has no concept of the certificate being self signed or not. When you initiate a TLS connection (either by connecting to a specific port or via STARTTLS) the server and client negotiate the TLS connection.
As part of the TLS negotiation it is up to the client and server to decide whether the certificate that they're presented is valid or not. If the certificate is self signed it's possible that the client (I'm assuming you're the server) may reject the certificate because it's not issued by a known CA or it might accept it.
It's therefore possible to use TLS with self signed certificates (we do it) but it's also possible that a client could reject the connection because it cannot verify the certificate. If you full have control of the clients (which you do here) you can of course aid this and ensure you always accept your hosts certificate.