tags:

views:

775

answers:

1
+1  Q: 

SslStream on TCP Server fails to validate client certificate with RemoteCertificateNotAvailable

This question is all about solving a SslPolicyError.RemoteCertificateNotAvailable error.

I have developed a TCP Server with SSLStream and a TCP Client for the other end.

I authenticate the server with:

sslStream.BeginAuthenticateAsServer

I authenticate the client with:

sslStream.BeginAuthenticateAsClient

I am loading my client certificate from Trusted Publishers - Local Machine.

Both are running on the same machine.

I tried loading the client certificate from the .cer and .pfx files rather than the trusted publishers store. But the server's client (remote) certificate validator callback fails by finding that SslPolicyErrors has a RemoteCertificateNotAvailable error.

+2  A: 

The link didn't come through, but there's a problem I can spot with the statment:

"I loaded my client certificate from Trusted Publishers"

Client certificates typically live in a Personal store for a user account. Same with Server certificates (they will probably have a different Intended Purpose OID associated with them, though - "Client authentication" vs "Server Authentication"). It'd be odd for you to have a cert with a private key available in the Trusted Publishers store, I think.

If you double-click a client or server certificate in CertMgr.msc , you should see a "This certificate has a private key" message towards the bottom.

If you don't, you only have half a key pair - encryption and authentication require the private key. The server cert needs a private key at the server end, and the client cert needs a private key at the client end.

Tristank  2009-03-05 23:21:01
I have also tried loading the certificate from "Personal" store.My certificate do have private key.
cdpnet  2009-03-06 03:17:58
Certutil -verify -urlfetch should validate whether the certificate is able to be validated correctly. If not, no dice.The server cert needs "intended purpose: server authentication" and the client cert will probably need "client authentication", if it's meant to uniquely identify a client.
Tristank  2009-03-15 06:00:35
Tristank. You have spotted the problem actually. I was having a certificate with purpose of only server auth. I needed the certificate which supports client auth. So, once I got that, it worked.
cdpnet  2010-02-17 19:13:47

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL