login about faq

I try to estabilsh a SSL session with a client certificate and try to validate both sides: the client verifies the servers cert and vice versa. This works well on my DEV machine (signatureVerified: 1). If I run the code on a different machine, the verification of the server cert on the clients side fails (signatureVerified: 0).

Any ideas why this could be? Are there any additional requirements for chilkat Socket that I'm not aware of?

Thanks in advance! T.

asked Mar 17 '13 at 12:32

Torsten's gravatar image

Torsten
1233


It's difficult to tell what might be wrong without a code snippet and the contents of the LastErrorText property (as they are immediately after the failed call), so if you can supply those,then that might help.

Since the problem is with certificate handling, the Socket might re-use code from the ChilkatCert library. Maybe you could try deploying that library on the failing machine?

link

answered Mar 17 '13 at 20:38

jpbro's gravatar image

jpbro ♦
1.1k2618

It's difficult to tell what might be wrong without a code snippet and the contents of the LastErrorText property (as they are immediately after the failed call), so if you can supply those,then that might help.

I don't think there's much more to see than I already provided. But you asked for it, here your are:

Win 7:

ChilkatLog:
  SignatureVerified:
    DllDate: Dec 12 2012
    UnlockPrefix: MyNamexSocket
    Username: HOSTNAMEWIN7:MyUser
    Architecture: Little Endian; 32-bit
    Language: .NET 4.0
    VerboseLogging: 1
    Initializing certificate validity info.....
    calling CertCreateCertificateChainEngine...
    CryptoAPI certificate chain engine created.
    CryptoAPI certificate chain built.
    CryptoAPI certificate chain processing completed.
    signatureVerified: 1
  --SignatureVerified
--ChilkatLog

Win XP:

ChilkatLog:
  SignatureVerified:
    DllDate: Dec 12 2012
    UnlockPrefix: MyNamexSocket
    Username: HOSTNAMEXP:MyUser
    Architecture: Little Endian; 32-bit
    Language: .NET 4.0
    VerboseLogging: 1
    Initializing certificate validity info.....
    calling CertCreateCertificateChainEngine...
    signatureVerified: 0
  --SignatureVerified
--ChilkatLog

Both outputs were created with the very same binary. Here's the source:

If Not SSL.SetSslClientCertPem(My.Application.Info.DirectoryPath & "\certificate.crt", "") Then
        MsgBox("error setting cert")
        Return False
     End If

     If Not SSL.Connect("192.168.1.2", 12345, True, 10000) Then
        MsgBox("error connecting to server")
        Return False
     End If

     Receive()

     Dim serverCert As Chilkat.Cert
     serverCert = SSL.GetSslServerCert
     serverCert.VerboseLogging = True

     Dim success = serverCert.SignatureVerified
     Console.WriteLine(serverCert.LastErrorText)

Since the problem is with certificate handling, the Socket might re-use code from the ChilkatCert library. Maybe you could try deploying that library on the failing machine?

I may be wrong, but I understood that chilkatCert is included in chilkatSocket. However, I can successfully create a cert object and read properties like subject and dates and such from my client cert.

link

answered Mar 18 '13 at 03:45

Torsten's gravatar image

Torsten
1233

I narrowed down the problem a bit. I can get successful cert verification on more than one Win7x64 and Win7x86 machine. Also I can get successful cert verification on WinXP with VB6 code using the chilkatSocket and chilkatCert Active-X controls. Using the .NET chilkatSocket on XP SP3 x86 still fails. This can be reproduced easily.

This is the VB.NET code which works fine on Win7 and fails on XP:

Class MainWindow 
Private Const ChilkatSocketLicense As String = "MyNamexSocket123456"
Private SSL As New Chilkat.Socket
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.Windows.RoutedEventArgs) Handles Button1.Click
  Dim cert As Chilkat.Cert
  Dim Success As Boolean
  Success = SSL.UnlockComponent(ChilkatSocketLicense)
  MsgBox("Unlock: " & Success)
  Success = SSL.SetSslClientCertPem(My.Application.Info.DirectoryPath & "\certificate.crt", "")
  MsgBox("SetClientCert: " & Success)
  Success = SSL.Connect("192.168.1.2", 12345, True, 10000)
  MsgBox("Connect: " & Success)
  cert = SSL.GetSslServerCert()
  MsgBox("SignatureVerified: " & cert.SignatureVerified)
End Sub
End Class

This is the VB6 code:

Private Const ChilkatSocketLicense As String = "MyNamexSocket123456"
Private SSL As New ChilkatSocket
Private Sub Form_Load()
  Dim cert As ChilkatCert
  Dim Success As Long
  Success = SSL.UnlockComponent(ChilkatSocketLicense)
  Debug.Print Success
  Success = SSL.SetSslClientCertPem(App.Path & "\certificate.crt", "")
  Debug.Print Success
  Success = SSL.Connect("192.168.1.2", 12345, 1, 10000)
  Debug.Print Success
  Set cert = SSL.GetSslServerCert()
  Debug.Print cert.SignatureVerified
  End
End Sub

This works well on VB6 and I do get cert.SignatureVerified = 1. Just like it should be.

Summary:

  • The VB6 code uses chilkat Active-X controls and works fine on WinXP AND Win7.
  • The VB.NET code uses chilkat .NET4 assembly and works fine on Win7 but fails CertVerification on WinXP.

I may be wrong but to me this sounds like a bug in the .NET4 assembly of chilkatSocket. I contacted support on Friday but didn't get any response. :-(

Blockquote

link

answered Mar 18 '13 at 08:42

Torsten's gravatar image

Torsten
1233

Unfortunately, I don't have/use .NET, so it is hard for me to test. You might have to wait for an official response from Chilkat.

The reason I asked for the LastErrorText in particular was to make sure that the DLL date was the latest (a common problem is with running an old version), but your DLL date is good.

One thing I would check is the LastErrorText property immediately after calling SSL.SetSslClientCertPem AND again after calling SSL.Connect. Even if Success=1, when I get unexpected results, checking this property after each call can be a good place to look for clues.

(Mar 18 '13 at 10:18) jpbro ♦

The underlying implementation is identical whether it's the ActiveX, .NET, C++ libs, etc. In other words, the only difference between the ActiveX and .NET is the thin outer layer that passes arguments to, and returns results from the underlying C++ implementation. If there is a bug in .NET and not the ActiveX, then the bug would be in this thin wrapper, and it's probably not the case here.

I can deduce from the LastErrorText's you previously posted that it is the call to the Microsoft Crypto API's CertCreateCertificateChainEngine function that is returning a failed status. (http://msdn.microsoft.com/en-us/library/windows/desktop/aa376032%28v=vs.85%29.aspx) Unfortunately, the Chilkat internals did not call Microsoft's GetLastError function to get more specific information about why it failed. I suspect it has to do with that particular machine, or maybe somehow related to permissions. At this very moment, it's not possible to produce a new build that can get this information. It might be possible in a few days.

link

answered Mar 18 '13 at 10:50

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Any news on this one?

(Apr 03 '13 at 11:36) Torsten

Here's a new build that will log to LastErrorText the error obtained by calling the MS Platform SDK's GetLastError function: http://www.chilkatsoft.com/preRelease/ChilkatDotNet4.zip

(Apr 03 '13 at 11:56) chilkat ♦♦

I finally found the time to try to reproduce the issue with the version of code that you provided in your last comment. This is the output of serverCert.

LastErrorText: ChilkatLog:
  get_KeyContainerName:
    DllDate: Apr  3 2013
    ChilkatVersion: 9.4.1.0
    UnlockPrefix: XXXXXxSocket
    Username: XP-SP3-DEV:Administrator
    Architecture: Little Endian; 32-bit
    Language: .NET 4.0
    VerboseLogging: 1
    No key provider info is available.
    calledFrom: 2
  --get_KeyContainerName
--ChilkatLog
What should "No key provider info is available" tell me?

(Apr 16 '13 at 08:18) Torsten

I'm confused because this looks like the LastErrorText for an access to the KeyContainerName property of a Chilkat.Cert object. Didn't we want the LastErrorText for whichever method is doing the cert's signature verification?

(Apr 16 '13 at 08:54) chilkat ♦♦

Hmm. In my example code above (Mar 18 at 08:42) I wrote "This is the VB.NET code which works fine on Win7 and fails on XP:". There you can find "MsgBox("SignatureVerified: " & cert.SignatureVerified)". This is what fails. And in my last comment I gave what I copied from the certs properties. If that was wrong, I'll paste serverCert.LastErrorText in my next comment

(Apr 16 '13 at 10:07) Torsten


ChilkatLog: SignatureVerified: DllDate: Apr 3 2013 ChilkatVersion: 9.4.1.0 UnlockPrefix: XXXXXxSocket Username: XP-SP3-DEV:Administrator Architecture: Little Endian; 32-bit Language: .NET 4.0 VerboseLogging: 1 Initializing certificate validity info..... calling CertCreateCertificateChainEngine... WindowsError: Falscher Parameter. WindowsErrorCode: 0x80070057 signatureVerified: 0 --SignatureVerified --ChilkatLog

(Apr 16 '13 at 10:07) Torsten

That's the code

     Dim serverCert As Chilkat.Cert
     serverCert = SSL.GetSslServerCert
     serverCert.VerboseLogging = True

Dim success = serverCert.SignatureVerified
     Console.WriteLine(serverCert.LastErrorText)

If success = False Then
            MsgBox("SignatureVerified: " & serverCert.SignatureVerified)
            MsgBox(serverCert.LastErrorText)
            Return False
        End If
(Apr 16 '13 at 10:13) Torsten
showing 5 of 7 show all

I think I see the problem. If you examine the CERT_CHAIN_ENGINE_CONFIG structure, which is an argument to the Windows Platform SDK's CertCreateCertificateChainEngine function:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa377184%28v=vs.85%29.aspx

You'll find that three new members are added to Windows 7 and Windows Server 2008 R2. Effectively, Microsoft made a change that breaks existing code. I'll make a change to update this ASAP, but it'll take until tomorrow..

link

answered Apr 16 '13 at 10:40

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

I admit I don't fully understand what you mean, let me just mention that I believe it's working correctly under Win7 and it's not working under XP. Like said: "I can get successful cert verification on [...] Win7[...]. Also I can get successful cert verification on WinXP with VB6 code using the chilkatSocket and chilkatCert Active-X controls. Using the .NET chilkatSocket on XP SP3 x86 still fails."

(Apr 16 '13 at 14:08) Torsten

Any new on this one?

(May 02 '13 at 05:12) Torsten
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×56
×48
×9
×1
×1

Asked: Mar 17 '13 at 12:32

Seen: 2,275 times

Last updated: May 02 '13 at 05:12

powered by OSQA