B
B
Bob Smith2014-10-31 22:39:20
.NET
Bob Smith, 2014-10-31 22:39:20

How to work correctly with SslStream in C#?

1) We developed a service for uploading information about ongoing tenders from a third-party platform for public procurement. TLS connection, with two-way authentication.
2) CryptoPro 3.6 is installed on the machine, the certificate is loaded into the storage, the connection is established normally.
3) Then xml is sent with the purchase data, which includes files encoded in Base64 with a description of the purchase.
4) If the files attached to the purchase are small (less than ~ 7Kb), everything goes well: the server returns xml with information that everything is ok.
5) But if the file is longer than 7Kb, then when receiving a response from the server, an Exception falls:

A call to SSPI failed, see inner exception; The message received was unexpected or badly formatted.

Checked on different machines, from different places. The problem is definitely not in the communication channel.
But there are a couple of things that are incomprehensible to me:
1) When validating the server certificate, the root certificate is not found. In ValidateServerCertificate:
chain.ChainStatus==PartialChain Unable to build a certificate chain for the trusted root authority.
; RevocationStatusUnknown The revocation function was unable to perform a revocation check on the certificate.
; OfflineRevocation Unable to test the revocation function because the certificate revocation server is not available.

2) After the connection is established, SslStream.LocalCertificate == null, although the stream is created with the userCertificateSelectionCallback passed:
SslStream sslStream = new SslStream(
                client.GetStream(),
                false,
                ValidateServerCertificate,
                ClientCertificateSelectionCallback);

and in the ClientCertificateSelectionCallback method, the local certificate is located and put where it should be.
Guys, save. I struggle for several days, where to dig - it's not clear. I had no business with SSL before, so I could make a mistake somewhere in elementary things.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
G
gmlexx, 2014-11-01
@gmlexx

1) Most likely, the server certificate contains all sorts of clumsy links that simply do not allow you to download the CA (root) or CRL normally. I can’t view the server certificate, because I don't have CryptoPro at hand.
Here the solution may be to find them somewhere and put them locally (it will work until they go rotten). A CA typically has a validity period of several years, a CRL of several days or hours.
Either do not check at all, or you can override ValidateServerCertificate so that it always returns true, and check the certificate fingerprint yourself.
2) Why is everything so complicated? It seems that the API requires a regular HTTP POST. There are more convenient abstractions, such as HttpWebRequest.
3) Well, to the extreme, there are people who have already eaten a dog in interaction with government agencies.https://zakupki.kontur.ru

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question