I have a fully operating system in which openssl-based clients interact with the openssl server. Each client has its own certificate, which is verified by the server. Certificates were created using openssl (X509, pem). They are self-signed.
Now I want to write a test client based on SslStream. I used the client example from the SslStream document.
My SslStream client cannot complete a handshake. stunnel complains that the client did not send its certificate. This is confirmed in Wireshark (certificate length: 0 in confirmation messages).
My client displays the following exception:
Internal exception: received message was unexpected or failed formatted
This is how I upload my certificate:
X509Certificate cert = new X509Certificate2(filename, password);
X509CertificateCollection certColl = new X509CertificateCollection();
certColl.Add(cert);
I tried to get various certificate properties (for example: GetSerialNumberString ()). It works. The Verify method returns false. This is the next thing I'm going to research.
How I set up my SslStream doesn't seem to matter (same result):
sslStream.AuthenticateAsClient(serverName);
SslStream sslStream = new SslStream(
client.GetStream(),
false,
new RemoteCertificateValidationCallback(ValidateServerCertificate),
new LocalCertificateSelectionCallback(SelectLocalCertificate));
Same thing with authentication:
sslStream.AuthenticateAsClient(serverName);
sslStream.AuthenticateAsClient(serverName,
certColl,
SslProtocols.Tls,
true);
SelectLocalCertificatereceives the call (twice) and returns my certificate. ValidateServerCertificatecurrently never called (to my surprise).
How can I debug this? Even better if you can nail my problem.
UPDATE
I added a function to check the chain based on X509Chain from the documentation. It displays all of the certificate information, including two intriguing messages:
Element certificate is valid: False
Element error status length: 1
In the end, I have no more detailed information than when I call for confirmation.
The conclusion is openssl verify cert.pemnot unusual.
error 18 at 0 depth lookup:self signed certificate
OK
UPDATE
pem, cert.pfx(pkcs12). cert.pfx . .
, . .