Re: SslStream behavior (slow handshake when used in windows services)

I think the personal store is the wrong place. You should put them in other
people most likely. If you are putting the whole chain in, I'd put the
intermediate CA certs in the intermediate CA certificate store. I assume
the root is already in trusted roots.

The machine store should be fine and apply to all processes on the box,
although I don't know if there are any weird exceptions to this. The
profile for the service account should also work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<letibal@xxxxxxxxx> wrote in message
news:1169206520.823861.269080@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Joe/Dominik,

I have found a workaround to my problem.
I still don't know what is really happening there :

****************
System.Net Information: 0 : [2460] SecureChannel#4032828 - Remote
certificate has errors:
System.Net Information: 0 : [2460] SecureChannel#4032828 - Unknown
error.
System.Net Information: 0 : [2460] SecureChannel#4032828 - Remote
certificate was verified as valid by the user.
*****************

However I know it has something to do with the server-side certificate
validation.
For some reason, it seems that it fails to validate the cert chain (?)
or takes ages to retrieve it and does not succeed ... but still does
not log any error/warning apart from this unknown error.

So If I store the server side cert into the certificate store of the
user account of the user that runs the Windows Service, the problem
dissapears !

One last problem though ! I have tried the exact same piece of code,
but instead of putting it on a win app or on a windows service, I have
put it on an ASP.NET web service. (a client triggers the web service
which in turns attempt to remotely connect using SSL to a web server)
Since I encountered the exact same problem, I tried to store the server
side cert into the correct certificate store.

Using the Microsoft Management console (snap in 'Certificate'), I
stored this cert in the 'Personal' directory of the snap in for :
- a Computer account -- did not make any change
- a Service Account -- (I tried W3WP and ASP.NET) -- did not make any
change

Questions :
- Does this approach make sense ?
- Which windows service do you think I should consider ? (i.e. which
one carries out the SSL handshake when this handshake is initiated by
an ASP.NET web service)

Thanks for your help,

Tibo







Dominick Baier wrote:
you can turn tracing on at System.Net level - maybe this is helpful

http://www.leastprivilege.com/TracingSystemNet.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

I don't know how to get more logging on the unknown error (sorry!),
but I think you are definitely on to something.

However, I can't tell from the trace below if the system account is
checking the CRL and that is what it doesn't like or if there is just
something wrong with the chain itself.

You might consider writing some diagnostics code using
System.Security.Cryptography.X509Certificates and using the new
X509Chain class to check the status while playing around with various
policies. I'm not sure exactly how to stitch all that together right
off the top of my head, but it gives you granular control over how the
chain is verified, so you might be able to figure it out that way.

I wish I had a magic bullet for you.

Joe K.




.

Relevant Pages

  • Re: Guitar Center report.
    ... >> the bottom or dead last in the whole chain. ... >> actually wondering if this is a chainwide shift, or just a store thing. ... > It's the face of corporate America and unfortunately it's getting to be a ... > there are enough personable operators who realize the value of servicing a ...
    (alt.guitar.bass)
  • Re: Just now of Fox
    ... >>Reminds me of the Winn-Dixie chain here in GA. ... >>to our illegal population in area, we will NOT shop there either. ... > 41st and Yale - great deli, sushi bar, every international food you'd ... store I'll find one on Buford Highway near Atlanta. ...
    (alt.true-crime)
  • Re: Guitar Center report.
    ... > the bottom or dead last in the whole chain. ... > actually wondering if this is a chainwide shift, or just a store thing. ... It's the face of corporate America and unfortunately it's getting to be a ... there are enough personable operators who realize the value of servicing a ...
    (alt.guitar.bass)
  • RE: Verifying a certificate chain from a temporary store
    ... All the certificates in the chain are self-signed. ... It *should* be possible to do this without adding a cert ... hRoot is the store handle from hRestrictedRoot or, ... company-wide root), ...
    (microsoft.public.platformsdk.security)
  • Re: ...GC stores...
    ... GC is opening a new store nearby, ... Daddy's chain, I guess. ... vintage guitars waaayyy up high, ... I mentioned this on a guitar site, and was emailed back, ...
    (alt.guitar.amps)
Loading