what is the JSSE equivalent for .NET (C#)?

Question

I'm working on an application using c#-4.0 and EntireX Broker 9.5.1 I'm attempting to convert to tpcip connections to use ssl. I was successful in upgrading my java code to do the same thing thanks to Java/ Software AGs use of jsse for handling the SSL/ceritificate validation. However, when connecting to the same server/port under .net I'm getting the following error:
02150403: Certificate expired or invalid

The error message sounds like it's communicating. So how can I get .Net to successfully validate the certificate?

PS: The certificate is signed by Verisign.

UPDATE:
Both IE and Firefox successfully connect on https://server.domain:port without throwing certificate errors. My application is actually connecting to ssl://server:port?verify_server=y
verify_server=n throws the same certificate error.

The certificate is not expired. The stack trace from the exception stops right at Broker.Logon();.

at SoftwareAG.EntireX.NETWrapper.Runtime.Broker.Logon(String password)
at FAServer.EntireXDotNetClasses.EntireXWrapper.CreateBroker() in C:\Users\tfburton\Documents\Visual Studio 2010\Projects\NEW FADCOM\FAServer\EntireXDotNetClasses\EntireXWrapper.cs:line 1302

UPDATE:
Here's how I'm creating my Broker object.

try
{
  Broker mybroker;
  try { mybroker = new Broker(BrokerName, BrokerUser); }
  catch (Exception e)
  {
     Utilities.LogEntry("Error Creating broker instance -- BEFORE LOGON. ", e, true);

     throw new WrapperException("Error Creating broker instance -- BEFORE LOGON. "
                               + Environment.NewLine + e.Message);
  }
  try //{ mybroker.Logon(BrokerPass); }
  {
     mybroker.Password = BrokerPass;
     mybroker.Logon();  //<-- stracktrace points here
  }
  catch (AccessViolationException ave)
  {
     Utilities.LogEntry("Error During Broker Logon.", ave, 
                        EventLogEntryType.Error);

     throw new WrapperException(ave); //wrap and duck
  }
}
catch ( Exception e )
{   
   Utilities.LogEntry("Error Creating broker instance. ", e, true);

   XException be = e as XException; 
   if ( null != be  ) //<-- resolves to true
   {
      String msg = "Certificate error connecting to: " + BrokerName;

      throw new WrapperException(msg, e);
   }
   throw new WrapperException( "Error Creating broker instance. " 
                             + Environment.NewLine + e.Message);  //<-- error caught and re-thrown here

}

"*Certificate expired or invalid*" would indicate there's a problem with the certificate on the server. Just wondering, did your successful attempt to get this to work with the JSSE involve any custom trust manager (the kind that ignore errors)? Another line of investigation would be to check whether the server uses Server Name Indication (SNI) and whether the two clients support it (or not) equally, this might cause distinct certificates to be used by the clients. (Java 7 clients normally support SNI.) — Bruno, Mar 18 '14 at 02:44
The default trust manager, validated it just fine. No customization required. (once I fixed a seperate bug setting an incorrect password for the trust store.) — Raystorm, Mar 18 '14 at 02:47
It seems strange you need to fiddle with a trust store password when a Verisign-issued cert should generally be trusted using the default trust store (i.e. without specifying anything). Is your server cert trusted by IE (for example)? I'd check whether SNI is used with Wireshark (look for the `server_name` extension in the ClientHello message, and whether you actually get the same server cert with both clients. — Bruno, Mar 18 '14 at 02:52
I had a java application connecting to a seperate https webservice, using a second/seperate keystore for some self signed certs. I had mistakenly set global properties in that application rather than local ones. If I hadn't done that I wouldnt have needed to do any fiddling at all in Java. I'll check fo see if I get any cert errors in IE at work tomorrow. — Raystorm, Mar 18 '14 at 06:19
Do you have bits of code to show for the application that fails? — Bruno, Mar 18 '14 at 21:49
@Bruno I've Updated the question with the code where the error is thrown. Is there any other code I should add? — Raystorm, Mar 18 '14 at 22:09
"The certificate is not expired..." - show us the certificate. Since `mybroker.Logon` failed, its likely a problem with the certificate or a problem with the password. — jww, Mar 29 '14 at 05:48

score 2 · Accepted Answer · answered Mar 29 '14 at 05:43

2

Turns out I was barking up the wrong tree.

I'm not sure if .NET has an equivalent for JSSE.

My solution turned out to be a lot simpler, concatinate the root certs in a text file and add

trust_store=path\to\file\myrrootcerts.pem

as a parameter to the url aka

BROKER-ID

answered Mar 29 '14 at 05:43

Raystorm

6,180
4
35
62

Just an observation... you should *not* need to add the entire collection of root certificates to verify one certificate. Usually, one certificate is signed by one CA. Perhaps one more CA if countersigned. – jww Mar 29 '14 at 05:50
2

IIRC, the file has about 5 certs in it. The roots and a couple intermediaries. – Raystorm Mar 29 '14 at 05:59
2

Ah, the end entity or certificate is supposed to include all intermediates certificates required to build a valid chain (sans the root of the chain). Its a well known problem in PKI called the "which directory" problem (and you just experienced it). For more information, like adding the intermediates and creating a `PFX` or `PKCS12` file, see [Unable to load certificates when trying to generate pfx file](http://stackoverflow.com/questions/22646533/unable-to-load-certificates-when-trying-to-generate-pfx-file/22648161) – jww Mar 29 '14 at 06:20

what is the JSSE equivalent for .NET (C#)?

1 Answers1