stackoom
  简体   繁体   中英

Why TLS Handshake fails when using a certificate that exposes only public key?

 原文  2019-09-07 22:18:37       c#/ x509certificate/ tls1.2/ client-certificates/ public-key

Question

TLS Handshake fails when using a certificate that exposes only public key but it works when use another certificate that exposes private key. when we use certificate that exposes only public key, it gives "400 Bad Request No required SSL certificate was sent"

One key difference here is that with 2nd certificate that exposes private, we give permission to Network Service, but as 1st certificate is not exposing private key we're not able to give permission to Network Service. Both of these certificates are properly installed in the store.

Following is sample code: 

public string TestCall() { 
    try { 
        string url = "Some URL"; 
        string apiKey = "Key Information"; 
        string secret = "Key Secret"; 
        string payload = "Timestamp";

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
        request.Method = "POST";
        request.ContentType = "application/json";
        request.SendChunked = false;
        request.AllowAutoRedirect = true;
        request.Date = DateTime.UtcNow;

        var keyStore = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
        keyStore.Open(OpenFlags.ReadOnly);

        X509Certificate clientCertificate = keyStore.Certificates.Find(X509FindType.FindByThumbprint, ConfigurationManager.AppSettings["ThumbPrint"], true)[0];
        request.ClientCertificates.Add(clientCertificate);

        var authProvider = new HmacAuthProvider();
        var headers = authProvider.GenerateAuthHeaders(apiKey, secret, payload, url);
        foreach (var header in headers)
        {
            request.Headers.Add(header.Key, header.Value);
        }

        var response = (HttpWebResponse)request.GetResponse();
        var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();
        return responseString;
    }
    catch (Exception ex)
    {
        return ex.Message + " " + ex.StackTrace.ToString();
    }
}

Any idea what is missing here that certificate without private key is not reaching to the sever.

1 answers

solution1
 1 ACCPTED  2019-09-08 09:55:29

Certificate-based authentication requires the possession of private key for a corresponding certificate. You cannot use only public certificate (without having a private key) for client authentication, you need the private key because it is used to sign TLS handshake data.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Client / Server Handshake fails using RestSharp, but works fine on Postman and when using Fiddler as proxy. Certificate length 0 The server mode SSL must use a certificate with the associated private key - during TLS handshake TLS handshake error from … tls: client didn't provide a certificate Asking SslStream to accept ONLY a certificate signed by a particular public key TLS 1.2 handshake still possible after only allowing TLS 1.0 Disable TLS Handshake Client Certificate Request in Service Fabric Application Create certificate from public key Extract public key from certificate Product activation with public key certificate Can't validate signature value using certificate public key provided in an xml (X509Certificate2)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM