Re: SSL SSPI ClientCertificate

Some servers request a client certificate, but are willing to continue the
connection even without one. The SSL/TLS protocol supports this sort of
thing. As a client, you just need to send an empty Certificate message
(SSL3) or a no_certificate alert (TLS) instead of a client certificate. I
know little of the SSLStream class, but that must be what it's doing.

To do this using SSPI, when you get the SEC_I_INCOMPLETE_CREDENTIALS error,
as I recall all you need to do is to call InitializeSecurityContext back
with the ISC_USE_SUPPLIED_CREDENTIALS flag. Assuming that the credential
handle you specify doesn't contain a client certificate, this tells the
schannel security package that you want to continue the handshake without
sending a client certificate.

Regards,
John

"Bob" <msgdev@xxxxxxxxxxx> wrote in message
news:%233t0iBcfGHA.4464@xxxxxxxxxxxxxxxxxxxxxxx
I created an SSL/TLS class via SSPI and it works well.
But I have a question about client certificate. There is one server I
test with that seems to require a client certificate because its returning
the SEC_I_INCOMPLETE_CREDENTIALS error when calling
InitializeSecurityContext().

If I set a client certificate it works. This is how I expected it to
work.

But I tried to use the SSLStream class in .Net 2.0 for another project and
if I try and connect using that it still connects even without specifying
a client certificate.

Does anyone know why the SSLStream class does not need a client
certificate but my application using the SSPI does? Is there a way I can
get around the request without have to specify a client certificate.

Thanks

Bob



.

Relevant Pages

  • Re: SSL SSPI ClientCertificate
    ... or a no_certificate alert instead of a client certificate. ... To do this using SSPI, ... But I tried to use the SSLStream class in .Net 2.0 for another project ... get around the request without have to specify a client certificate. ...
    (microsoft.public.platformsdk.security)
  • SSL SSPI ClientCertificate
    ... I created an SSL/TLS class via SSPI and it works well. ... But I have a question about client certificate. ... if I try and connect using that it still connects even without specifying a ... Does anyone know why the SSLStream class does not need a client certificate ...
    (microsoft.public.platformsdk.security)