1

I'm integrating with a customer for which I'm implementing 2 way ssl, meaning I'm attaching a client certificate to outgoing HTTP requests.

My calling client app is written in C# and is hosted in IIS, while the customer is not using IIS, I think they are using something that's called Layer 7.

I add the client certificate to the request in code:

request.ClientCertificates.Add(clientCertificate);

Now if I'm sending the HTTP request to the customer with the client certificate, the request fails, the client certificate is not added to the request.

However, if before invoking the request to the customer, I'm invoking a request to a dummy application I created and hosted in IIS which requires SSL and client certificates, and afterwards invoke the request to the client, then it passes!

Looks like the request to the dummy application (IIS hosted) triggered something but I can't figured out what! Why is this happening? Is this some Microsoft bug?

CodeCaster
  • 147,647
  • 23
  • 218
  • 272
Y.S
  • 1,860
  • 3
  • 17
  • 30
  • 1
    _"the client certificate is not added to the request"_ - how do you determine this? How do you do the "double" request, do you reuse the request object? Can you show more relevant code? _"Is this some Microsoft bug?"_ - don't let that be your first suspicion, suspect your own code first. – CodeCaster Mar 04 '15 at 11:38
  • I'm sure because I debugged my code and captured wireshark packets which ensured the client certificate was not present – Y.S Mar 04 '15 at 11:40
  • as for the double request, I'm not using the same object, new httpWebRequest object – Y.S Mar 04 '15 at 12:07
  • Did you resolve this? I'm having a very similar issue where Wireshark shows the certificate is not sent (specifically the `Certificate Verify` part, which I think is the certificate signing) – Aske B. Mar 07 '18 at 08:20
  • I figured out that the certificate isn't sent when using TLS 1.2. Setting it to TLS 1.0 worked for some strange reason. I'm sure the server I send to supports 1.2 as that's the protocol used by Chrome and Postman, which I've tested to work. For people new to this, this is how you change the protocol globally in your code: `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;` It seems to be a specific issue with TLS1.2 and client certificates as TLS1.2 works fine for many other scenarios. – Aske B. Mar 08 '18 at 14:13
  • 1
    Man I am experiencing the same thing. I've been reading and looking at Wireshark for days. .NET is not submitting the certificate over TLS 1.2. We thought it might be a trust chain issue with the client cert, but we managed to find and install the root CA. Client cert is legit but still no luck. – grinder22 Jan 16 '20 at 14:51
  • @grinder22, did you find a way to circumvent this issue? – twinlakes Feb 29 '20 at 23:39
  • @twinlakes yes our issue was the signing algorithm on the cert. SHA-1 is no longer supported. We got a new cert signed with SHA-256 and it started working. – grinder22 Mar 02 '20 at 16:23

0 Answers0