SSLStream set trusted certificate authorities on server authentication

Question

I am trying to authenticate clients where there is an exchange of certificates. The issue that I am having is that the openssl client rejects the connection attempt because no certificate authorities are included in the authentication handshake.

This seems to work fine for an instance running on Windows Server 2008 R2 but in both of my dev environments (Windows 10 and Windows 7) it fails. I'm have looked at and tried to change a few windows settings (mostly Local Group Policy) that might be inhibiting the addition of the certificate authorities but can't get it working correctly.

Is that the function of string array acceptableIssuers field of the LocalCertificateSelectionCallback?

I also found another stackoverflow php solution that is related but don't know how to apply it to the sslstream class.

My code looks like this

var _nwStream = new SslStream(client.GetStream(), true,
(sender, certificate, chain, sslPolicyErrors) =>
{
  bool policyErrs = (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateChainErrors | SslPolicyErrors.RemoteCertificateNotAvailable)) != 0;
  if (policyErrs)
  {
    string message = string.Format("Remote Certificate failed for client: {0}, SSL policy errors {1}", client.Client.RemoteEndPoint, sslPolicyErrors);
    return !policyErrs;
},
(sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
{
  acceptableIssuers = new string[] { _cert.Issuer };
  return _cert;
});

_nwStream.AuthenticateAsServer(_cert, true, System.Security.Authentication.SslProtocols.Tls, true);

Any help would be greatly appreciated- Thanks!

Answer 1

Well I don't know why it didn't show up sooner. There is a registry entry at HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL called SendTrustedIssuerList which was set to 0, changing it to 1 resolved the issue. This flag is probably by default set to 1 on Windows Server instances.