I am attempting to create a C# application that connects to a PostgreSQL database using SSL with client certificate and key files similar in functionality to the PGAdmin UI, but the documentation for this in NPGSQL is lacking and I cannot find any examples. The documentation states that it "works just like on .NET's SSLStream", but I am not seeing any correlation between the two. Has anyone created a connection using this method that can possibly provide some help?
I am facing the same situation. Documentation certainly needs to describe usage explicitly on how to supply cert, key and CA files if needed to the connection string or connection builder, and how the ProvideClientCertificatesCallback can actually supply back cert, key and CA files.
Nov 2018: I got below sample code to work for self-signed certs:
var connection = new NpgsqlConnection(connectionStringBuilder.ConnectionString);
connection.ProvideClientCertificatesCallback += clientCerts => this.GetMyClientCertificates(clientCerts);
private void GetMyClientCertificates(X509CertificateCollection clientCerts)
{
clientCerts.Add(<supply an instance of X509Certificate2 here>);
}
You need to have SSL=true in your connection stream, and then provide a ProvideClientCertificatesCallback on your NpgsqlConnection before opening it (like SSLStream).
Related
I have an OPC UA server based on open62541 that connects correctly with the client UAExpert of UnifiedAutomotion. I try to add a server certificate but the UAExpert cannot find it, even if I add it to the trust list from UAExpert>Certificate manager.
Is loaded correctly?
UA_Server *server = UA_Server_new();
UA_ServerConfig *config = UA_Server_getConfig(server);
config->serverCertificate = loadCertificate(); // Returns UA_ByteString of the file certificate.der
if(config->serverCertificate.length > 0)
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_SERVER, "Certificate loaded");
UA_ServerConfig_setDefault(config);
I don't know if the method UA_ServerConfig_setDefault is enough for loading certificate, because the examples I have seen uses UA_ServerConfig_setDefaultWithSecurityPolicies for setting the server configuration. I tried to test the example of server_encrypted.c but when I compile it throws exceptions of libraries and glibc versions.
Thanks in advance.
Welcome to stackoverflow.
I have no experience with open6254, but the client connects using an endpoint from the list of endpoints previously read from the server. The chosen endpoint should contain a certificate and when calling createession the server resends the certificate, if both certificates are not equal, the client must cancel the process, as required by the OPC UA specifications.
Maybe one of the two certificates is not being sent by the server or they are not equals.
I think you better ask here https://groups.google.com/forum/#!forum/open62541
Is it possible to read the server TLS certificate in the BrowserComponennt (specifically the public key)?
No. You can probably use native interfaces to do that...
But I'm assuming that what you're trying to do is verify the server to protect against some attacks specifically through certificate pinning. Is that correct?
If so check out the certificate pinning section in the developer guide here; https://www.codenameone.com/manual/security.html
I am trying to run my IoT-client on Threadx-Os Client which doesn't have file- system/certificate trusted store kind of things like in linux. When i look into Wireshark the client closing connection with Fatal,Bad certificate error. I tried all possible options which are suggested in different forums to solve this issue. Which haven't solved my problem. The solution i tried mentioned below.
By using below API to added only above Baltimore root certificate available in cert.c.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT,
certificates);
it's not working for me because we don't have trusted store like linux.
ifdef SET_TRUSTED_CERT_IN_SAMPLES
// Setting the Trusted Certificate. This is only necessary on system with without
// built in certificate stores.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT, certificates);
endif // SET_TRUSTED_CERT_IN_SAMPLES
I need answers for two important questions.
1) Do i need to Add entire certificate string in cert.c (or) only first Baltimore root as CA root to my client.
2) Without trusted store, how client can tell to azure-cloud i have trusted root.
Any help would be appreciated.
This may be a stupid question but I just can't find the answer.
What I would like to do:
I have a WCF service hosted by IIS. It is working perfectly, I can access the wsdl, I have a self-signed certificate for the server etc. I would like to call this service from a WPF client.
The problem is, since I have a self-signed certificate, I get the following exception when calling the service:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'.
If I access the site (or the service) from a browser, it is no problem, because the browser warns me about the certificate, and gives me the choice of viewing the page anyway. But the WPF client just throws an exception.
I don't want to completely turn off the authentication process, I simply would like to give the users the option of ignoring this warning (as browsers do).
Can anyone provide some code for this? If you ran into a good, detailed tutorial about this, it would be awesome too. (See, my problem with the tutorials I've found is the lack of details)
Here's the minimum amount of code you need to make WCF client accept an arbitrary certificate. This is not secure. Use for testing only. Don't blame me if this code goes berserk and eats your little kitten.
ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(EasyCertCheck);
The call back:
bool EasyCertCheck(object sender, X509Certificate cert,
X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
Code shamelessly lifted from the least helpful answer to Is it possible to force the WCF test client to accept a self-signed certificate?
You can register the certificate yourself. If load the certificate in the client as well, and then register the it as trusted you shouldn't get that warning.
You need to find a X509CertificateCollection and add the certificate to that collection. I had this kind of problem with a SmtpClient running over Ssl.
By hooking the System.Net.ServicePointManager.ServerCertificateValidationCallback or implementing System.Net.ICertificatePolicy and identify my own installed certificate as valid/trusted (attached to the System.Net.ServicePointManager.CertificatePolicy).
This is not WCF stuff per se, but from what I could tell, this should translate to WCF as well. It all depends what WCF is uses under the hood.
I'm using common database code between a web and WinForms app. I've researched and worked out how to encrypt the connection strings section of a web.config and app.config file. That part is ok. I have also worked out how to decrypt the connection strings in my Azure web app, that's ok. I can also read the connection strings in my WinForms app after loading the .pfx file into the machine's certificate store, but after I reboot it fails, because it can't find a private key in the pfx file.
I am using a certificate created with these commands:
makecert -r -pe -n "CN=myconfig" -sky exchange "myconfig.cer" -sv "myconfig.pvk"
pvk2pfx -pvk "myconfig.pvk" -spc "myconfig.cer" -pfx "myconfig.pfx" -pi
This gives me 3 files: myconfig.pvk, myconfig.cer, myconfig.pfx
I assume the problem is the private key isn't stored in the pfx file, and needs to be re-authenticated each time after a reboot- but I don't know enough about encryption to know how to do that. Further, the WinForms app is for very limited distribution onto controlled machines, so I'd like to install each certificate manually.
I'm an newbie to encryption and am stuck. Can I load a .pfx file onto a machine, enter the private key (which I know but won't tell the user) & have that stored persistently? Am I missing something- is there a different certificate file I should install, or way of generating it? I don't want to leave the private key accessible. If someone steals the app.config, I don't want them to be able to decrypt it.
Note: I have read about the RsaProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider. I have chosen to use PKCS12ProtectedConfigurationProvider because it works with Azure, ref: http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx
I stumbled on the answer when I deployed the app to my local IIS & got the error "Failed to decrypt using provider 'CustomProvider'. Error message from the provider: Keyset does not exist"
There was a permissions problem with the private key, resolved with the help of this article:
CryptographicException 'Keyset does not exist', but only through WCF
The article includes a number of possible causes, the one which fixed my issue was fixing the permissions in 'Manage Private Keys' from the MMC Certificates snap-in (see link, the steps are well laid out).