Re: ClientCertificates and IIS5 with https://localhost

From: Michel Gallant (neutron_at_istar.ca)
Date: 03/27/05 

Date: Sun, 27 Mar 2005 14:50:42 -0500

With the kind help of Joe Kaplan, I think we have made some
progress on this problem. Joe was looking at .NET code with
Reflector and noticed that the CryptAcquireCertificatePrivateKey()
call was using a "silent" flag!

This suggested that a call to access a client cert with *Strong* protection
(i.e. password protected access via DPAPI to private key) would fail.
So, I removed my client cert from CU / MY store (which I always protect with
Strong import protection) and reimported without the extra pswd protection and
VOILA ... the .NET client works properly.

So, the upshot of this is that it appears that the .NET 1.1 sp1 underlying class
implementation of the following code, for a SSL request to an SSL server requiring client-certificate :

   req.ClientCertificates.Add(jscert);
   resp = (HttpWebResponse)req.GetResponse();

will fail, if the private key access for jscert is password protected (i.e. Strong
protection on import).
It is easy to understand why this may have been implemented (for asp.net processes where
no UI is available).
Further, the client cert (and matching private key) must be loaded to the Current User
store (and NOT the Local Machine store).

So this clearly calls for better documentation on the ClientCertificates.Add and
HttpWebResponse.GetResponse() methods for the case of SSL with required client
certificates. Specifically, how the .NET underlying implementation has changed
with release level:

  .NET 1.0
  .NET 1.1
  .NET 1.1 sp1
  .NET 2.0 beta

I noticed via google searches that some earlier postings *did* report seeing the password
dialogs. So it would be interesting to note what .NET fcl those were using .. e.g.
http://groups-beta.google.com/group/microsoft.public.dotnet.framework/browse_frm/thread/2b51994cc7d4e9b4/732dc492b164eb31?q=ClientCertificates++HttpWebResponse+group:microsoft.public.dotnet.*&rnum=5#732dc492b164eb31

Cheers,
 - Mitch Gallant
   MVP Security
   www.jensign.com

"Michel Gallant" <neutron@istar.ca> wrote in message news:uIIhdlmMFHA.1392@TK2MSFTNGP10.phx.gbl...
> I have done more testing on this and I'm almost certain the problem
> is with a .NET 1.1 console application trying to negotiate the SSL handshake for
> client-certificate and access to the associated private key in the CU /MY store.
> I tried also using openssl SSL server and same client cert:
> openssl s_server -accept 443 -cert server.pem -Verify 2 -WWW
> with essentially identical (failed to provide client certificate) results.
> The .NET client console app refuses to send a certificate (yet, IE 6 running
> on same machine, using SAME client certificate, works fine with
> either IIS 5 or Openssl running as SSL servers requiring client certs.
>
> Also tried moving the client cert/key to the LM / MY store, but still no success.
> Also, installed fresh .NET 1.1 runtime on a clean XP sp2 system, imported from pfx
> the same client cert/key into CU / MY store and ran the same .NET 1.1 client app
> again .. still same problem.
>
> Is there some issue with user profile or impersonation when using a .NET 1.1
> console application? The following article discusses this, but for asp.net
> applications which is different :
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod27.asp
>
> Here is a very simple .NET 1.1 SSL client code:
> http://www.jensign.com/cryptodev/clientcert.txt
>
> Any suggestions on changes? Can someone else compile and test this against an SSL server?
>
> Thanks,
> - Mitch
>
> "Michel Gallant" <neutron@istar.ca> wrote in message news:%23IxS2ZYMFHA.1268@TK2MSFTNGP14.phx.gbl...
> > I have seen a number of postings with problems similar to this:
> >
> > W2k Pro sp4 fully patched
> > IIS 5 web service: ssl enabled; requiring client certificates
> > Running on same machine as client
> >
> > Client .NET 1.1 console application in C#:
> > (certfile is also a valid certificate in CU MY store .. with associated private key available)
> >
> > .....
> > X509Certificate jscert = X509Certificate.CreateFromCertFile(certfile);
> > HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
> > req.ClientCertificates.Add(jscert);
> > HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
> > ... stream response
> >
> > the url is specified as https://localhost/somwebpage
> >
> > but the C# client console application, running as current user, does not appear to have access to
> > the private key and the SSL negotation for client certificate fails:
> >
> > System.Net.WebException: The remote server returned an error: (403) Forbidden.
> >
> > If I change the host name from "localhost" so "<mymachinename>" (as suggested by a previous
> > posting) there error message changes to:
> >
> > System.Net.WebException: The underlying connection was closed: Could not establi sh trust relationship with remote server.
> >
> > HOWEVER, exactly the same url, accessed from same machine and user context
> > with IE6 browser does properly raise the private key password access for same certificate.
> >
> > Any ideas? I haven't explicitly imported my certificate/pvk into the LocalMachine store (yet)
> > but I understand that .NET 1.1 implementation of req.GetResponse() when an SSL client cert
> > negotation is required is to (internally) check BOTH CU and LM stores for certificates-with-private-keys
> > matching the certificate file specified in CreateFromCertFile(certfile).
> >
> > Are there any TEST SSL servers on the Internet which require client certificate authentication?
> >
> > - Mitch Gallant
> >
> >
>
>

Relevant Pages