|
Consider yourself lucky that you even got the ChatSvr running. Could you tell us if you are using OpenSSL or Windows' Certificate Services??
|
|
|
|
|
I don't use the two you said and I can't run the ChatSvr on the other computer.I want to know Who also occur this problem or who run this demo successfully.
|
|
|
|
|
I have gotten the ChatSvr to run (finally) by using Certificate Services on a Win2k Advanced Server box, utilizing this article from Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q290625
And changing the "channel" (actually port number) from 443 (which something else is already using) to an arbitrary number (I'm using 7777). Also, I had to edit the dialogs and make the edit box (for "channel") larger.
Now I am trying to get the client (chatter.exe) to connect to the chat server... no luck yet.
-J
|
|
|
|
|
i have got the server side running
but the client side can't.
debug it i found in the method ClientHandshakeLoop
m_SecurityFunc.InitializeSecurityContext error.
who can help me?
|
|
|
|
|
I am looking forward to seeing if this code actually works. But I have been spending the whole day trying to compile it. I downloaded the platform SDK from MS, Nov 2001 is the latest they have there. Fixed about 40 errors but I can't get a Crypt32.Lib that has the functions. CertOpenSystemStore and CertOpenStore. I have 3 versions of the crypt32.lib and all are missing those 2 or more functions.
The only thing I can do since I can't find and more versions of crypt32.lib is to do a GetProcAddress from the dll for those missing functions.
The Platform SDK is a mess compared to VC++. You suck MS. If your .Net stuff wasn't link to MFC 7 dll I would use that....
|
|
|
|
|
Hi Stefan,
you are quite close:
1. add 4 files to project
2. modify your stdafx.h to look like:
#define VC_EXTRALEAN
#include <afxwin.h>
#include <afxext.h>
#include <Winsock2.h>
#include <afxsock.h>
#include <afxmt.h>
#include <wincrypt.h>
#include <wintrust.h>
#include <schannel.h>
#define SECURITY_WIN32
#include <security.h>
#include <sspi.h>
3. DO NOT REPLACE afxsock.h with sslsocket.h, but include sslsocket.h where you need it.
4. swap CSocket with CSslSocket
5. add/change parameters for Listen() and Create() as you need (e.g. if you do not require client certificate, then there are no changes in parameters)
6. add these two references to libraries to your linker options: Crypt32.lib Ws2_32.lib.
I hope this will help.
Kind regards,
Martin
|
|
|
|
|
hi ,
i am also getting same number of errors relating to wintrust.h, schannel.h etc.
which version of platform sdk will do the trick
thanks,
manish
|
|
|
|
|
Hi,
latest version would be the best . You can download it for free from MS.
Regards,
Martin
|
|
|
|
|
Couple things:
1. did you specify the same port number for client and sever? (sorry for silly question)
2. Create() method at the server side does need to specify szCertName.
3. when you start certmgr.exe, then column 'Issued To' is what you have to pass as 'szCertName' to Create().
4. bMachineStore equal to TRUE means machine store.
5. make sure, you installed your certificate authority certificate into the root store, and certificate for the server into the personal store.
6. when your client will have no certificate - no client authentication - then there are no changes at the client side (well, make sure, port number is the same as server has).
Try to play with samples attached to the article first, there is required client authentication at the server side, however, you will see how it works.
Also make sure, that certificate for the server is issued correctly (flags etc), and 'Issued To' is whole domain name of the computer (like computer_name.domain_name.com), if you are using domains.
Regards,
Martin
|
|
|
|
|
Could anyone elaborate the details on how to get the chatter program working with openssl?
I got openssl 0.9.6c compiled in my winnt box. What do I do to make the chatter program working?
Thanks very much in advance.
|
|
|
|
|
You need to generate certificate request, sign it (by openssl) and install it. It is possible to use Certificate Enrollment Control, however you have to write code, which will do the thing for you. It is easier to use Certificate Services, because there is a www interface for requesting a certificate installed along it(unfortunately it requires NT/2000 Server). Have a look on ICEnroll interface, when you have no server.
Martin
|
|
|
|
|
Thanks Martin.
I am using NT Server 4.0 with sp6. I can't find Certificate SErvices in Control Panel/ADD windows components. It's not listed as windows component. Where to get it?
Thanks very much for your help.
|
|
|
|
|
I got Cert SErver from NT Option pack.
thanks.
|
|
|
|
|
Martin,
After installing windows cert. server on my nt server box, I haven't figure out on how to enable the demo program working. Basically I don't know how to use cert. server to generate a certificate.
Could you please elaborate the details on how to do this as the cert. server is not quite user friendly?
Thanks a lot in advance.
|
|
|
|
|
There is a web based interface to request certificate, usually installed as: http://localhost/CertSrv. There is a form based web page, where you can specify all the options for certificates. You need two of them: server certificate (for server side of demo) and client certificate. Name of the server certificate must be computer name, where you are running server side of the demo, it should include domain names. Whether it is client or server certificate you will specify in the 'usage' of the certificates - client or server authentication. Name of the client certificate can be any name (not necessary your user name), this name you will type in the client side of the demo. Usually all the default settings of the form to request certificate are sufficient, just remember to fill names and usage, it should work. After you will generate requests, you will sign them by certificate server (process certificate request). Then you have to install signed certificates from certificate server, there is a web interface as well for that. Read the documentation, I hope you know what certificates are for.
|
|
|
|
|
Martin,
Thanks very much for your help. I used the web UI to generate the client and server cert as you explained in the previous email. But the certificate installed automatically after I click on submit button. So I didn't do the additional steps to process and sign cert.
Then I run ChatSrv and entered the cert name as mycomputername.domain (followed your instruction), but the program got an application error and error out.
What did I miss? I got nt sp6a with NT server.
Thanks again in advance.
|
|
|
|
|
Martin,
I also noticed when I use Certificate Enrollment Form and click on advanced settings to change from client cert to server cert and then click ok to save the advanced settings. Then if I go back to advanced settings, it's still client cert which means that the advanced settings didn't get save. What I did wrong there?
I would like very much to make the chatter work and I am stucked here. I appreciate very much for your help.
Thanks in advance.
Bing
|
|
|
|
|
I am sorry about my description how to generate and sign certificates - I have not seen certificate services for NT for about 2 years, so I did not remember how it is working.
You have to see certificates listed in stores with certmgr.exe program, try it and check if all required properties are set up correctly.
What kind of error are you getting from demos?
|
|
|
|
|
Martin,
I user certmgr.exe to bring up Certificate Manager. The server cert and client cert that I generated via cert server are there. But the friendly names are all <none>.
I ran chatsrv.exe and entered the computername.domain as cert and leave channel unchanged, and got the following error:
"Socket notification sink: Chatsvvr.exe - application error... memory could not be read..."
So what cert name should I enter? The full name (with domain) or friendly name?
thanks very much in advance.
bing
|
|
|
|
|
Use certificate names as listed in column 'Issued To' in certmgr.exe for demo programs.
Where have you seen that error message?
Run demos under debuger and you will see error dumped in debug output window, if it is related to CSslSocket (dumped by SetLastError()).
And also open each certificate and check if there are specified 'server authentication' and 'client authentication' properties.
|
|
|
|
|
I used certmanager ui to view the server certificate and it has the server authentication setting in advanced tab.
I debugged the chatsrvr.exe in vc6 and it error out at CSslSocket::Create(...) in the following line:
rc = CSocket::Create(nSocketPort,SOCK_STREAM,lpszSocketAddress);
actually it crashed with "unhandled exception in chatsrvr.exe oxC0000005: access violation" at:
{ return CAsyncSocket::Create(nSocketPort, nSocketType, FD_READ | FD_WRITE | FD_OOB | FD_ACCEPT | FD_CONNECT | FD_CLOSE, lpszSocketAddress); }
which is afxsock.inl file in mfc.
So what could be wrong there?
Thanks very much in advance.
|
|
|
|
|
Martin,
As I continued on debugging, I found out that it error out at mfc\src\sockcore.cpp inside this function:
BOOL CAsyncSocket::Create(UINT nSocketPort, int nSocketType,
long lEvent, LPCTSTR lpszSocketAddress)
{
if (Socket(nSocketType, lEvent))
{
if (Bind(nSocketPort,lpszSocketAddress)) // ERRORED HERE
return TRUE;
int nResult = GetLastError();
Close();
WSASetLastError(nResult);
}
return FALSE;
}
nResult is 0x00010048 (hex) and 65608 (decimal). I can't find this error code in error lookup tool and I search Msdn, couldn't find this error code either.
Do you know what's wrong with this? What's the channel number to use in the dialog box? I am using default as 44.
I am stuck here. Thanks very much for your help in advance.
|
|
|
|
|
Martin,
I noticed that your code in the srvrdoc.ccp:
BOOL CServerDoc::OnNewDocument()
{
if (!CDocument::OnNewDocument())
return FALSE;
CDiscussionDlg Dialog;
if (Dialog.DoModal() == IDOK)
{
m_pSocket = new CListeningSocket(this);
if (m_pSocket->Create(Dialog.m_nPort,NULL,LPCTSTR(Dialog.m_CsCertName)))
{
if (m_pSocket->Listen(5,TRUE))
return TRUE;
}
}
return FALSE;
}
when you call m_pSocket->Create, why do you pass null as the socketaddress? I think it should be the dns (or ip) of the computer. So I modified the line to the following:
if (m_pSocket->Create(Dialog.m_nPort,LPCTSTR(Dialog.m_CsCertName))),LPCTSTR(Dialog.m_CsCertName)))
As you know that the cert name is the computer name plus domain stuff. After changing, I got nResult = 10022 in the following code inside sockcore.cpp
BOOL CAsyncSocket::Create(UINT nSocketPort, int nSocketType,
long lEvent, LPCTSTR lpszSocketAddress)
{
if (Socket(nSocketType, lEvent))
{
if (Bind(nSocketPort,lpszSocketAddress))
return TRUE;
int nResult = GetLastError();
Close();
WSASetLastError(nResult);
}
return FALSE;
}
Any inputs on this? Thanks very much in advance.
|
|
|
|
|
Hi Bing,
I am very sorry for this late answer, my home machine temporary died and I was couple of days offline.
Since I tested my CSslSocket only on Win2k and I have no access to WinNT box at the moment, I can try only suggest to play with flags set in the SCHANNEL_CRED structure passed to AcquireCredentialsHandle(). Some of them, I have specified, are valid only on Win2k. Then demos should work fine. Let me know correct combination of flags, I will modify CSslSocket to work on NT and I will post it here.
Good luck,
Martin
-----Original Message-----
From: Bing Wang [mailto:biwang@hotmail.com]
Sent: 24 January 2002 23:27
To: martin.ziacek@pobox.sk
Subject: SSLSocket Problem
Hi Martin,
Thanks very much for all your help. I am still stuck there with making demo
work.
After spending hours and hours with your code for debugging, final I got to
this point and your help is indeed needed.
I have to stop iis on the box as iis hold port 443 as listening mode ( I
found out using netstat commend). I had problem with bind (The socket is
already bound to an address) if I don't stop iis since iis is holding port
443 for listening ssl connection.
I have to uninstall and reinstall cert server a couple of times as I want to
make the computername.domain cert into root CA store. And then I debug the
chatsrvr.exe and I got a problem at CSslSocket::ServerCreateCredentials in
these lines:
Status = m_SecurityFunc.AcquireCredentialsHandle(
NULL,
UNISP_NAME,
SECPKG_CRED_INBOUND,
NULL,
&m_SchannelCred,
NULL,
NULL,
phCreds,
&tsExpiry);
if(Status != SEC_E_OK) {
SetLastError(Status);
Status = Status;
break;
}
Status = 0x8009030d. I found out it means SEC_E_UNKNOWN_CREDENTIALS. Why
it's unknown credentials.
I have verified using certmgr and the cert is in Trusted Root CA tab. so it
should work right?
I appreciate very much for you quick response as I have some deadline to
meet. Sorry to send you a couple of email as I have leant more while
debugging and want to inform you.
best regards,
Bing Wang
|
|
|
|
|
I set m_SchannelCred.dwFlags = 0;
and I got error code SEC_E_INTERNAL_ERROR (Local Security Authority cannot be
contacted) at Status = m_SecurityFunc.AcquireCredentialsHandle(..).
So What does this error mean?
Could it the problem be with my NT cert. Server which is coming from original NT option pack?
How can I test toward some other certificates such as Verisign Cert.?
Thanks very much.
Bing
|
|
|
|