How to specify accepted certificates for Client Authentication in .NET SslStream

Question

I am attempting to use the .Net System.Security.SslStream class to process the server side of a SSL/TLS stream with client authentication.

To perform the handshake, I am using this code:

SslStream sslStream = new SslStream(innerStream, false, RemoteCertificateValidation, LocalCertificateSelectionCallback);
sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Default, false);

Unfortunately, this results in the SslStream transmitting a CertificateRequest containing the subjectnames of all certificates in my CryptoAPI Trusted Root Store.

I would like to be able to override this. It is not an option for me to require the user to install or remove certificates from the Trusted Root Store.

It looks like the SslStream uses SSPI/SecureChannel underneath, so if anyone knows how to do the equivalent with that API, that would be helpful, too.

Any ideas?

score 3 · Accepted Answer · answered Sep 15 '08 at 12:10

3

It does not look like this is currently possible using the .NET libraries.

I solved it by using the Mono class library implementation of System.Security.SslStream, which gives better access to overriding the servers behavior during the handshake.

answered Sep 15 '08 at 12:10

Rasmus Faber

48,631
24
141
189

Do you have any more info on how to actually use the Mono implementation from an otherwise regular-framework app? – Miral Jan 07 '20 at 05:01
@Miral This was a long time ago, but taking a quick look at the Mono libraries, I think I would take a dependency on Mono.Net.Security and use the MonoTlsStream. The setting to override is MonoTlsSettings.ClientCertificateIssuers. – Rasmus Faber Jan 07 '20 at 07:56

score 2 · Answer 2 · answered Sep 10 '08 at 15:07

What the certificate validation is doing is validating all certificates in the chain. In order to truely do that it just contact the root store of each of those cerficates.

If that's not something you want to happen you can deploy your own root store locally.

score 1 · Answer 3 · answered Sep 10 '08 at 17:15

1

It is not the validation part I want to change. The problem is in the initial handshake, the server transmits the message informing the client that client authentication is required (that is the CertificateRequest message). As part of this message, the server sends the names of CAs that it will accept as issuers of the client certificate. It is that list which per default contains all the Trusted Roots in the store.

But if is possible to override the certificate root store for a single application, that would probably fix the problem. Is that what you mean? And if so, how do I do that?

answered Sep 10 '08 at 17:15

Rasmus Faber

48,631
24
141
189

Rasmus, I am trying to solve the same problem. Did you find any particular solution? – cdpnet Jun 17 '13 at 05:58
@cdpnet, I solved it by using the Mono implementation of SslStream. – Rasmus Faber Jun 17 '13 at 06:21

How to specify accepted certificates for Client Authentication in .NET SslStream

3 Answers3

Linked