Windows 8 Phone Client Certificate HTTPS authentication

**deadlock83** · 2013-03-15, 16:06

I am trying to access a secure HTTPS server using client certificate from a Windows 8 Phone app I am developing. This does not work at all which has has made me try to access the HTTPS server from the standard web browser where it does not work either. I do not know if Internet Explorer can handle client certificates or not. If it does not handle them I would be very interested in some sample code for c# .NET that works on Windows 8 Phone and that is able to provide a client certificate to the web service over HTTPS. The certificate used must be stored in the Windows 8 Phone certificate store.

It Just does not work for me, neither from the app I built nor from Internet Explorer. I have set up Client Authentication in Apache like the following:

Code:

<VirtualHost _default_:443>
DocumentRoot /var/www/htdocs
ServerName norrweb
ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
#SSLCACertificatePath    /var/www/conf/ssl.crt
SSLCACertificateFile    /var/www/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient require
SSLVerifyDepth  10
</VirtualHost>

This works great, in OSX I can chose my client certificate issues by the CA specified in SSLCACertificateFile which contains a self-signed Root CA and an intermediate CA that has in turn signed the client certificate I am using on my mac.

I have installed the Root CA, the Intermediate CA and the client CA on a Windows 8 Phone (Nokia Lumia 900). The phone told me for each certificate that it was successfully installed. To me it seem like if the phone never sends any certificate to the server. Is there a need to specify which certificate to be used for which server?

The following can be read in error_log for Apache:

Code:

# tail -f /var/www/logs/error_log                                                                                                                                  
[Tue Mar 12 23:46:30 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:46:30 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:48:45 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:48:45 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:48:45 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:48:45 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:52:23 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:52:23 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:52:23 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:52:23 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]

The following can be seen in Wireshark

Code:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    10.0.83.232           10.0.83.132           TCP      66     49160 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      2 0.000177000    10.0.83.132           10.0.83.232           TCP      66     https > 49160 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=8

Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      3 0.004240000    10.0.83.232           10.0.83.132           TCP      60     49160 > https [ACK] Seq=1 Ack=1 Win=262144 Len=0

Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      4 0.006430000    10.0.83.232           10.0.83.132           TLSv1    162    Client Hello

Frame 4: 162 bytes on wire (1296 bits), 162 bytes captured (1296 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 1, Ack: 1, Len: 108
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 103
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 99
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 0
            Cipher Suites Length: 24
            Cipher Suites (12 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 34
            Extension: renegotiation_info
            Extension: status_request
            Extension: elliptic_curves
            Extension: ec_point_formats
            Extension: SessionTicket TLS

No.     Time           Source                Destination           Protocol Length Info
      5 0.006753000    10.0.83.132           10.0.83.232           TLSv1    1086   Server Hello, Certificate, Certificate Request, Server Hello Done

Frame 5: 1086 bytes on wire (8688 bits), 1086 bytes captured (8688 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 1, Ack: 109, Len: 1032
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 53
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 49
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 0
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Compression Method: null (0)
            Extensions Length: 9
            Extension: renegotiation_info
            Extension: SessionTicket TLS
    TLSv1 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 810
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 806
            Certificates Length: 803
            Certificates (803 bytes)
    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 154
        Handshake Protocol: Certificate Request
            Handshake Type: Certificate Request (13)
            Length: 146
            Certificate types count: 3
            Certificate types (3 types)
            Distinguished Names Length: 140
            Distinguished Names (140 bytes)
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

Since there is a limit on post size here please see my full question at Stack Overflow:
http://stackoverflow.com/questions/1...authentication

Discussion Board

Thread: Windows 8 Phone Client Certificate HTTPS authentication

Thread Tools

Search Thread

Rate This Thread

Display

Similar Threads

Client certificate authentication over CSecureSocket

Install Client Certificate on mobile phone

HTTPS Basic authentication

j2me https negotiation - Client Certificate

HTTPS with client certificate

Posting Permissions