Home/ Questions/Q 7064809
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T04:52:48+00:00

I have one server and three clients in which a windows service is running

  • 0

I have one server and three clients in which a windows service is running with local system privileges. Clients and server are mutual authenticated using SSL over TCP and certificates (I’m using the SSLStream class C++\CLI http://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.90).aspx#Y1124)

The problem is that i need three certificates (one for every client) because i’m authenticating the hosts. Now i want to authenticate the windows service and not the host so i can distribute the same certificate for every host.

Anyone know how can do it ?

— EDIT 1 —-
To give you an example of what i want to do. In every Microsoft Office copy is deployed a certificate that is used to communicate with microsoft servers throught an encrypted/authenticated channel.

— SOLVED —

As Jon said my problem was that the SslStream class perform standard validation which is included the hostname. I provided a custom RemoteCertificateValidationCallback and now it works.

bool ValidateServerCertificate( Object^ sender, X509Certificate^ certificate, X509Chain^ chain, SslPolicyErrors sslPolicyErrors ) {            

  Console::Write("[+] Validating server certificate: ");                                 

  // check certificate hash                                                               
  if( certificate->GetCertHashString()->Equals("cert hash") ) {                                                                                                          
      Console::Write( "oK\n" );                                                      
      return true;                                                                   
  }                                                                                      

   Console::Write(" ERROR\n");                  
   Console::WriteLine("[-] Hash doesn't match");                                 

   // Do not allow this client to communicate with unauthenticated servers.                           
   return false;                                                                                                                                                                                                  
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You simply need to load the certificate e.g. from a file and use that specific certificate to authenticate. If you want to do this on the server side of the connection:

    var certificate = new X509Certificate2("cert.pfx");
sslStream.AuthenticateAsServer(certificate);

    And on the client side:

    X509Certificate certificate = new X509Certificate2("cert.pfx");
var certCollection = new X509CertificateCollection(new[] { certificate });
sslStream.AuthenticateAsClient(targetHost, certCollection, protocols, checkRevocation);

    If the certificates are in password protected files there’s a second parameter to the X509Certificate2 constructor that accepts the password. And of course you probably want to use different certificates for the clients and the server.

    Update:

    So it seems that your problem is that your certificates are not accepted because you are letting .NET perform standard validation (which includes validating the host). You simply need to provide a RemoteCertificateValidationCallback to your SslStream constructor. You can then make all checks you want (or not) inside that. For example, here’s a validator that will blindly accept any certificate:

    private bool DefaultCertificateValidationHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors)
{
    return true;
}
    • 0