1

I have a C# server that accepts SSL connections. The code boils down to this:

// standard accept loop
TcpClient tcpClient = httpListener.AcceptTcpClient();
// ... create a thread

// ... each thread
SslStream sslStream = new SslStream(tcpClient.GetStream());
sslStream.AuthenticateAsServer(cert);
// ... read from / write to sslStream

This works with most clients. However, if the client is Android, the AuthenticateAsServer call fails with an exception:

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate.

The strange thing is that it the I am using exact same certificate when an Android client connects and when any other client connects.

I got as far as getting a network trace of the failing connection attempt. But as far as interpreting the trace, I am out of my depth. Could someone help me understand what is going on below?

System.Net.Sockets Information: 0 : [23040] Socket#42931033 - Accepted connection from 192.168.0.25:48171 to 192.168.0.20:443.
System.Net.Sockets Verbose: 0 : [23040] Exiting Socket#62407605::Accept()   -> Socket#42931033
System.Net.Sockets Verbose: 0 : [23040] TcpClient#39053774::TcpClient(Socket#42931033)
System.Net.Sockets Verbose: 0 : [23040] Exiting TcpClient#39053774::TcpClient() 
System.Net.Sockets Verbose: 0 : [23040] Exiting TcpListener#65849037::AcceptTcpClient()     -> TcpClient#39053774
System.Net.Sockets Verbose: 0 : [23040] TcpListener#65849037::AcceptTcpClient()
System.Net.Sockets Verbose: 0 : [23040] Socket#62407605::Accept()
System.Net.Sockets Verbose: 0 : [29340] TcpClient#39053774::GetStream()
System.Net.Sockets Verbose: 0 : [29340] Exiting TcpClient#39053774::GetStream()     -> NetworkStream#15257950
System.Net Information: 0 : [29340] SecureChannel#21857373::.ctor(hostname=?124, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [29340] Enumerating security packages:
System.Net Information: 0 : [29340]     Negotiate
System.Net Information: 0 : [29340]     NegoExtender
System.Net Information: 0 : [29340]     Kerberos
System.Net Information: 0 : [29340]     NTLM
System.Net Information: 0 : [29340]     TSSSP
System.Net Information: 0 : [29340]     pku2u
System.Net Information: 0 : [29340]     CloudAP
System.Net Information: 0 : [29340]     WDigest
System.Net Information: 0 : [29340]     Schannel
System.Net Information: 0 : [29340]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [29340]     Default TLS SSP
System.Net Information: 0 : [29340]     CREDSSP
System.Net.Sockets Verbose: 0 : [29340] Socket#42931033::Receive()
System.Net.Sockets Verbose: 0 : [29340] Data from Socket#42931033::Receive
System.Net.Sockets Verbose: 0 : [29340] 00000000 : 16 03 01 00 87                                  : .....
System.Net.Sockets Verbose: 0 : [29340] Exiting Socket#42931033::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [29340] Socket#42931033::Receive()
System.Net.Sockets Verbose: 0 : [29340] Data from Socket#42931033::Receive
System.Net.Sockets Verbose: 0 : [29340] 00000005 : 01 00 00 83 03 03 61 10-FE 4F AD 7C 09 0F 95 D8 : ......a..O.|....
System.Net.Sockets Verbose: 0 : [29340] 00000015 : EC 58 12 FE ED 52 50 71-FC 1D 89 5F 95 D8 B7 34 : .X...RPq..._...4
System.Net.Sockets Verbose: 0 : [29340] 00000025 : F8 60 D9 89 33 80 00 00-1E C0 2B C0 2C CC A9 C0 : .`..3.....+.,...
System.Net.Sockets Verbose: 0 : [29340] 00000035 : 2F C0 30 CC A8 C0 09 C0-0A C0 13 C0 14 00 9C 00 : /.0.............
System.Net.Sockets Verbose: 0 : [29340] 00000045 : 9D 00 2F 00 35 00 0A 01-00 00 3C FF 01 00 01 00 : ../.5.....<.....
System.Net.Sockets Verbose: 0 : [29340] 00000055 : 00 17 00 00 00 0D 00 14-00 12 04 03 08 04 04 01 : ................
System.Net.Sockets Verbose: 0 : [29340] 00000065 : 05 03 08 05 05 01 08 06-06 01 02 01 00 05 00 05 : ................
System.Net.Sockets Verbose: 0 : [29340] 00000075 : 01 00 00 00 00 00 0B 00-02 01 00 00 0A 00 08 00 : ................
System.Net.Sockets Verbose: 0 : [29340] 00000085 : 06 00 1D 00 17 00 18                            : .......
System.Net.Sockets Verbose: 0 : [29340] Exiting Socket#42931033::Receive()  -> Int32#135
System.Net Information: 0 : [29340] SecureChannel#21857373 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=192.168.0.20
  Simple Name: 192.168.0.20
  DNS Name: 192.168.0.20

[Issuer]
  CN=SelfSignedCertNNN
  Simple Name: SelfSignedCertNNN
  DNS Name: SelfSignedCertNNN

[Serial Number]
  148326605B6053F1FD62A9CA2B736DB3

[Not Before]
  12/15/2012 12:00:00 AM

[Not After]
  12/15/2022 12:00:00 AM

[Thumbprint]
  4E661D22C762F65478DE1215CF8D19AEBEFF5688

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 1024
  Key Blob: 30 81 89 02 81 81 00 d1 80 fc 38 5f 92 a5 ab a8 e0 ab f2 43 ab 53 4c c4 af c4 be 94 8a 03 dc 28 74 32 3c ef 65 34 e7 d0 f8 84 93 73 de b7 f0 01 bc 79 84 fb 0e 5f 27 68 17 98 be 1c 3a bf 57 09 f4 54 e6 ea 53 59 fe 8d 0d fc 0b d2 c9 70 1c dd 08 c9 f2 b5 ba 71 fa 4f 18 bf 9d 35 d1 1e 68 34 0d 35 e9 1f ca b0 ec e5 02 a1 8d 9a 4c a3 f9 4b d3 7e ad 75 bb 45 73 11 05 0e 33 61 b6 49 3e 84 04 06 f7 05 65 b8 b9 02 03 01 00 01
  Parameters: 05 00

[Extensions]
* Subject Key Identifier(2.5.29.14):
  ....
System.Net Information: 0 : [29340] SecureChannel#21857373 - Found the certificate in the CurrentUser store.
System.Net Information: 0 : [29340] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Inbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [29340] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [29340] AcceptSecurityContext(In-Buffer length=140, Out-Buffer length=825, returned code=ContinueNeeded).
System.Net.Sockets Verbose: 0 : [29340] Socket#42931033::Send()
System.Net.Sockets Verbose: 0 : [29340] Data from Socket#42931033::Send
System.Net.Sockets Verbose: 0 : [29340] 00000000 : 16 03 01 03 34 02 00 00-51 03 01 59 2F 1E F6 A4 : ....4...Q..Y/...
System.Net.Sockets Verbose: 0 : [29340] 00000010 : 03 8C 42 E3 9F 42 6F BE-48 ED 52 22 50 FB E2 49 : ..B..Bo.H.R"P..I
System.Net.Sockets Verbose: 0 : [29340] 00000020 : 62 CE 69 EC 40 53 43 56-56 1F E2 20 3D 0E 00 00 : b.i.@SCVV.. =...
System.Net.Sockets Verbose: 0 : [29340] 00000030 : 22 62 47 95 70 55 1F D8-5B 60 69 7C D5 6E A5 34 : "bG.pU..[`i|.n.4
System.Net.Sockets Verbose: 0 : [29340] 00000040 : 39 C9 AC 6C E8 FB E0 96-71 29 58 DA C0 14 00 00 : 9..l....q)X.....
System.Net.Sockets Verbose: 0 : [29340] 00000050 : 09 00 17 00 00 FF 01 00-01 00 0B 00 02 2D 00 02 : .............-..
System.Net.Sockets Verbose: 0 : [29340] 00000060 : 2A 00 02 27 30 82 02 23-30 82 01 8C A0 03 02 01 : *..'0..#0.......
System.Net.Sockets Verbose: 0 : [29340] 00000070 : 02 02 10 14 83 26 60 5B-60 53 F1 FD 62 A9 CA 2B : .....&`[`S..b..+
System.Net.Sockets Verbose: 0 : [29340] 00000080 : 73 6D B3 30 0D 06 09 2A-86 48 86 F7 0D 01 01 05 : sm.0...*.H......
System.Net.Sockets Verbose: 0 : [29340] 00000090 : 05 00 30 1C 31 1A 30 18-06 03 55 04 03 13 11 53 : ..0.1.0...U....S
System.Net.Sockets Verbose: 0 : [29340] 000000A0 : 65 6C 66 53 69 67 6E 65-64 43 65 72 74 4E 4E 4E : elfSignedCertNNN
System.Net.Sockets Verbose: 0 : [29340] 000000B0 : 30 1E 17 0D 31 32 31 32-31 35 30 35 30 30 30 30 : 0...121215050000
System.Net.Sockets Verbose: 0 : [29340] 000000C0 : 5A 17 0D 32 32 31 32 31-35 30 35 30 30 30 30 5A : Z..221215050000Z
System.Net.Sockets Verbose: 0 : [29340] 000000D0 : 30 17 31 15 30 13 06 03-55 04 03 13 0C 31 39 32 : 0.1.0...U....192
System.Net.Sockets Verbose: 0 : [29340] 000000E0 : 2E 31 36 38 2E 30 2E 32-30 30 81 9F 30 0D 06 09 : .168.0.200..0...
System.Net.Sockets Verbose: 0 : [29340] 000000F0 : 2A 86 48 86 F7 0D 01 01-01 05 00 03 81 8D 00 30 : *.H............0
System.Net.Sockets Verbose: 0 : [29340] 00000100 : 81 89 02 81 81 00 D1 80-FC 38 5F 92 A5 AB A8 E0 : .........8_.....
System.Net.Sockets Verbose: 0 : [29340] 00000110 : AB F2 43 AB 53 4C C4 AF-C4 BE 94 8A 03 DC 28 74 : ..C.SL........(t
System.Net.Sockets Verbose: 0 : [29340] 00000120 : 32 3C EF 65 34 E7 D0 F8-84 93 73 DE B7 F0 01 BC : 2<.e4.....s.....
System.Net.Sockets Verbose: 0 : [29340] 00000130 : 79 84 FB 0E 5F 27 68 17-98 BE 1C 3A BF 57 09 F4 : y..._'h....:.W..
System.Net.Sockets Verbose: 0 : [29340] 00000140 : 54 E6 EA 53 59 FE 8D 0D-FC 0B D2 C9 70 1C DD 08 : T..SY.......p...
System.Net.Sockets Verbose: 0 : [29340] 00000150 : C9 F2 B5 BA 71 FA 4F 18-BF 9D 35 D1 1E 68 34 0D : ....q.O...5..h4.
System.Net.Sockets Verbose: 0 : [29340] 00000160 : 35 E9 1F CA B0 EC E5 02-A1 8D 9A 4C A3 F9 4B D3 : 5..........L..K.
System.Net.Sockets Verbose: 0 : [29340] 00000170 : 7E AD 75 BB 45 73 11 05-0E 33 61 B6 49 3E 84 04 : ~.u.Es...3a.I>..
System.Net.Sockets Verbose: 0 : [29340] 00000180 : 06 F7 05 65 B8 B9 02 03-01 00 01 A3 6B 30 69 30 : ...e........k0i0
System.Net.Sockets Verbose: 0 : [29340] 00000190 : 1D 06 03 55 1D 0E 04 16-04 14 33 EE 93 24 03 EF : ...U......3..$..
System.Net.Sockets Verbose: 0 : [29340] 000001A0 : 08 F5 79 E0 F8 97 18 9A-71 49 96 8E 9C 1C 30 0B : ..y.....qI....0.
System.Net.Sockets Verbose: 0 : [29340] 000001B0 : 06 03 55 1D 0F 04 04 03-02 01 06 30 09 06 03 55 : ..U........0...U
System.Net.Sockets Verbose: 0 : [29340] 000001C0 : 1D 13 04 02 30 00 30 1F-06 03 55 1D 23 04 18 30 : ....0.0...U.#..0
System.Net.Sockets Verbose: 0 : [29340] 000001D0 : 16 80 14 2F 3A D4 36 7D-3D C9 39 65 AD 7A 7D 34 : .../:.6}=.9e.z}4
System.Net.Sockets Verbose: 0 : [29340] 000001E0 : 02 B7 76 B5 6C 0F 9D 30-0F 06 03 55 1D 11 04 08 : ..v.l..0...U....
System.Net.Sockets Verbose: 0 : [29340] 000001F0 : 30 06 87 04 C0 A8 00 14-30 0D 06 09 2A 86 48 86 : 0.......0...*.H.
System.Net.Sockets Verbose: 0 : [29340] 00000200 : F7 0D 01 01 05 05 00 03-81 81 00 56 DF AE F1 A4 : ...........V....
System.Net.Sockets Verbose: 0 : [29340] 00000210 : CD EE EA F6 69 98 B0 3B-14 EB 51 2F 71 90 65 31 : ....i..;..Q/q.e1
System.Net.Sockets Verbose: 0 : [29340] 00000220 : 4C 4C F6 17 9D 9D 72 72-8C EC 72 DC FA C8 57 20 : LL....rr..r...W 
System.Net.Sockets Verbose: 0 : [29340] 00000230 : 5F 20 33 5D 5A C1 94 8C-FA 41 D6 60 7C D9 18 D3 : _ 3]Z....A.`|...
System.Net.Sockets Verbose: 0 : [29340] 00000240 : 7B C3 FC F8 E5 BA BC 29-69 C3 62 B8 1C F0 AA 4C : {......)i.b....L
System.Net.Sockets Verbose: 0 : [29340] 00000250 : AA DA 70 F1 5C EA 67 B2-E9 4F 06 DB CE BF 7D 28 : ..p.\.g..O....}(
System.Net.Sockets Verbose: 0 : [29340] 00000260 : B1 78 AB 89 D9 D8 62 65-8E 77 75 A4 11 21 DD D8 : .x....be.wu..!..
System.Net.Sockets Verbose: 0 : [29340] 00000270 : E4 A3 9A 88 10 C3 FD 6A-7B 87 90 C4 B9 29 79 0C : .......j{....)y.
System.Net.Sockets Verbose: 0 : [29340] 00000280 : FA 55 66 24 4B 70 E8 6D-01 6A F5 0C 00 00 A6 03 : .Uf$Kp.m.j......
System.Net.Sockets Verbose: 0 : [29340] 00000290 : 00 1D 20 4A EB B4 A5 F2-52 05 3D 13 81 2D 90 97 : .. J....R.=..-..
System.Net.Sockets Verbose: 0 : [29340] 000002A0 : 22 61 A3 AD 1A E4 DD 74-A5 F0 25 6D 0A 4B 73 94 : "a.....t..%m.Ks.
System.Net.Sockets Verbose: 0 : [29340] 000002B0 : 1A CF 2D 00 80 1E 37 33-B5 D6 72 16 B8 7D 01 7B : ..-...73..r..}.{
System.Net.Sockets Verbose: 0 : [29340] 000002C0 : E0 AC 38 4B A2 11 DC EE-1B F3 B8 C7 91 FE D7 42 : ..8K...........B
System.Net.Sockets Verbose: 0 : [29340] 000002D0 : DB B4 41 23 6B 59 09 1E-C4 DB 62 FE 4D E0 42 A4 : ..A#kY....b.M.B.
System.Net.Sockets Verbose: 0 : [29340] 000002E0 : 52 0E 65 04 DA 5C 32 4E-FC DB A4 BA 50 7C D6 35 : R.e..\2N....P|.5
System.Net.Sockets Verbose: 0 : [29340] 000002F0 : 27 D7 89 FB B0 D1 6F 0C-24 2C 2E 55 B4 C1 18 A8 : '.....o.$,.U....
System.Net.Sockets Verbose: 0 : [29340] 00000300 : 01 15 F7 9D 86 8F 24 EB-5B 2C 83 5D A2 D3 7B DD : ......$.[,.]..{.
System.Net.Sockets Verbose: 0 : [29340] 00000310 : 83 47 B1 0A AC D6 01 4C-3B 38 BC 32 F0 FB AA 49 : .G.....L;8.2...I
System.Net.Sockets Verbose: 0 : [29340] 00000320 : 2C 67 BD A4 A1 7A 8E 39-1F B0 1C 15 19 A5 B4 0A : ,g...z.9........
System.Net.Sockets Verbose: 0 : [29340] 00000330 : 85 54 3C C7 4E 0E 00 00-00                      : .T<.N....
System.Net.Sockets Verbose: 0 : [29340] Exiting Socket#42931033::Send()     -> Int32#825
System.Net.Sockets Verbose: 0 : [29340] Socket#42931033::Receive()
System.Net.Sockets Verbose: 0 : [29340] Data from Socket#42931033::Receive
System.Net.Sockets Verbose: 0 : [29340] 00000000 : 15 03 01 00 02                                  : .....
System.Net.Sockets Verbose: 0 : [29340] Exiting Socket#42931033::Receive()  -> Int32#5
System.Net.Sockets Verbose: 0 : [29340] Socket#42931033::Receive()
System.Net.Sockets Verbose: 0 : [29340] Data from Socket#42931033::Receive
System.Net.Sockets Verbose: 0 : [29340] 00000005 : 02 2E                                           : ..
System.Net.Sockets Verbose: 0 : [29340] Exiting Socket#42931033::Receive()  -> Int32#2
System.Net Information: 0 : [29340] AcceptSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 23bda9238f0:16f928a5c40, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, AcceptStream)
System.Net Information: 0 : [29340] AcceptSecurityContext(In-Buffer length=7, Out-Buffer length=0, returned code=CertUnknown).
Exception thrown: 'System.Security.Authentication.AuthenticationException' in System.dll
The thread 0x729c has exited with code 0 (0x0).

Looks like 3 packets are exchanged before I get an exception

  1. Client sends 135 bytes to my server (starts an SSL handshake?)

  2. Server responds with 825 bytes that include the server's SSL certificate and some other bytes I don't understand.

  3. Client sends 7 bytes that cause my server to experience an AuthenticationException.

If it matters, my code runs on Windows 10 64-bit with .NET 4.0 (not 4.6). The certificate chain has two certificates (a self-signed certificate, which is then is then used to sign the end-entity certificate).

Could you help me understand what is being sent between Android and my server why this is causing AuthenticationException?

hello
  • 920
  • 1
  • 7
  • 14
  • This might help: https://stackoverflow.com/questions/28626662/ssl-communication-between-a-c-sharp-server-and-an-android-client-app – JuanR May 31 '17 at 20:54
  • @Juan Thank you, but I do not have control over any clients. All I can do is adapt the server to all the clients that I care about. can't tell Android clients to import anything to their keystore. – hello Jun 01 '17 at 12:50
  • According to the sequence of bytes that you sent Android client may deny your server certificate (it may be untrusted on Android). What is the client application? – Oleg Jun 02 '17 at 10:04

0 Answers0