Geek Answers Handbook

Understanding server / proxy / client certificates with .NET sslstream

I am creating a TCP proxy server with C # using TcpListener for the proxy server and TcpCLient for communication between the client and the proxy server and between the proxy server and the target server. It works very well.

I must also support SSL and TLS encryption. It works almost fine. I am creating an SslStream from a proxy to the target server using this code:

var sslStream = new SslStream(remoteStream, false); sslStream.AuthenticateAsClient(state.RemoteHost);

And I create an SslStream from a proxy for the Client with the following code:

 var sslStream = new SslStream(state.ClientStream, false); sslStream.AuthenticateAsServer(certificate, false, SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2, true);

The certificate is downloaded from the X509 repository:

 X509Certificate2 certificate; var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); var certificates = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=localhost", false); store.Close(); if (certificates.Count == 0) { Console.WriteLine("Server certificate not found..."); return; } else { certificate = certificates[0]; }

This also works well if I force clients to trust the certificate manually.

My questions:

  • How to make (all) clients trust a certificate?
  • What certificate that is valid for all clients do I need in a proxy?
  • If necessary, what client certificate do I need to install in order to make trusted proxies trust?
  • How to create the necessary proxy types using openssl or makecert?

I do not want the SSL connection tunnel to be issued by the proxy server, because I need to read and manage the streams.

[UPDATE] Yes, I used Google and search on StackOverflow, and I tried some other solution without any success. I also tried solutions in the following threads:

SSLStream example - how to get certificates that work?

How to determine my server name for server authentication by client in C #

[UPDATE2] This is a very good tutorial on creating a CA and server certificate with openssl, but it doesnโ€™t work for me: http://webserver.codeplex.com/wikipage?title=HTTPS&referringTitle=Home

+4
source share
1 answer

There is no single certificate valid for all requests. So my idea is not working. Because it is not possible to create a single license for each domain name.

But the answer is simpler than expected. To solve my problem, I need to create a certificate for each individual request.

All I need to do is:

  • create a self-signed root certificate as a certificate authority
    • to install this in the Trusted Root Certification Authorities client repository.
  • to create server certificates on the fly for each incoming request
    • sign these certificates with the root certificate tree to install the issuer
    • I can cache certificates in files or in the system certificate store, if necessary.

(this is exactly the same in the violinist)

0
source

More articles:


All Articles