Client Certificate Not Getting Added to the Request (Certificate Verify)

  • Home
  • Languages
  • Csharp
  • Client Certificate Not Getting Added to the Request (Certificate Verify)

Client certificate not getting added to the request (Certificate Verify)

While researching how to capture socket data to Wireshark, from my locally hosted page, I accidentally stumbled upon an article saying that "Certificate Verify" isn't sent over TLS 1.2 in "newer versions of Windows" (like Windows 10).

So I changed the protocol to TLS 1.0 and the request went through:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

With TLS 1.1 I get an exception, unlike what the guy in that article said:

(WebException) The request was aborted: Could not create SSL/TLS secure channel.

Why this worked isn't something I have time to investigate currently, as I'm already way behind schedule debugging this issue, but it sounds to me like a bug, much like another user claimed in another question.

I found a Microsoft article along these lines saying:

This issue only occurs with servers that downgrade the TLS session in an ungraceful way (such as by sending a TCP reset when receiving a TLS protocol version that the server does not support)

But since I start in TLS 1.2, and the server clearly accepts TLS 1.2 (via Postman and Chrome), it must be a tiny part of the TLS 1.2 protocol that isn't implemented the same way or something. I still don't understand how the Postman native Windows app manages to use TLS 1.2 though.

It may be worth noting that Internet Explorer first attempts TLS 1.2, and then after 2 resets (like my client), it just downgrades to TLS 1.0 and gets through. To me this sounds very similar to the update to Internet Explorer talked about in the article:

Wireshark showing IE resetting TLS 1.2 connection with Certificate Verify, and then downgrading to TLS 1.0

I realize this is not a great answer (when it comes to details of "why"), but at least it gives a hint as to what one might try if coming across similar issues.

If anyone understands this issue, and perhaps even knows how I can support TLS 1.2, then I'd appreciate it very much.

Why is my certificate not being send in the request?

Finally figured this one out. The other party needed to trust the root CA from our client certificate

OpenSSL how to request client certificate, but don't verify it

You should read the manual. It states:

void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback);

[...]


The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with "verification failed" state. [...] If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. [...]

Writing a function that always returns 1 and passing it as verify_callback should help you solve the problem.


Related Topics

Regex First Digits Occurrence

Linq Multiple Group by in a List<T> Then Convert to List<T>

How to Test If a Instance of a Class Is a Specific Generic Type

Itextsharp Pdfptable How to Make a Border Around Entire Table

How to Show a Console Output/Window in a Forms Application

How to Get Nested Json Values in C#

How to Default a Null Json Property to an Empty Array During Serialization With a List<T> Property in Json.Net

Posting Jsonobject With Httpclient from Web API

How to Use Telegram API in C# to Send a Message

Data Binding in MVC 5 and Select2 Multiple Values With Razor Engine

Encode a Filestream to Base64 With C#

How to Get the Currently Loggedin Windows Account from an ASP.NET Page

How to Select Last Record in a Linq Groupby Clause

Searching If Value Exists in a List of Objects Using Linq

Regular Expression for Anything But an Empty String

Most Efficient Way to Compare Two Ienumerables (Or Lists) in Linq

How to Check If User Input Is from Barcode Scanner or Keyboard

How to Generate Getters and Setters in Visual Studio


Leave a reply



Submit