Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
2 certificate key sizes not working anymore
July 19, 2018
19:04, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi,

I switched from pre-3.0.0 SDK to the 3.1.4 SDK but noticed that the way I was able to handle all security modes is not working anymore.

I used the method loadOrCreateCertificate with 2 key sizes (new int[] { 2048, 4096 }) and I was able to connect using any security mode. Now it’s not working anymore.

You can reproduce the issue with the 3.1.4 SDK and the sampleConsoleServer if you change line 511 to enable the 2 keySizes :
final int[] keySizes = new int[] { 2048, 4096 };

I cannot connect with the sampleClientServer (using security mode none), I have this exception :
Different cert in CreateSessionResponse.serverCertificate and endpoints

But at the same time the documentation is still suggesting that this is the way to do it:
// If you wish to use big certificates (4096 bits), you will need to
// define two certificates for your application, since to interoperate
// with old applications, you will also need to use a small certificate
// (up to 2048 bits).

Thanks 🙂

July 20, 2018
15:33, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi Xavier,

Thank you for reporting this. This is a very good observation.

Actually it seems that there has not been a change on the server side. Rather, the client side certificate validation is done more rigorously with SDK 3.0 or newer. In other words, the same issue happens also with previous server versions, but the situation is not checked by the previous client applications.

The actual issue seems to be that when there’s multiple application instance certificates, only of these will be used in the EndpointDescriptions returned by the GetEndpoints service. In this example situation, the 4096 bit certificate should be used with BASIC256SHA256 endpoints, but the GetEndpoints service always uses the 2048 bit version of application instance certificate. Fixing the issue requires most probably changes to the endpoint handling in the server side SDK.

You cannot easily disable this check from the client SDK, so until further notice there’s no easy workaround. Clients made with SDK older than 3.0 will continue to work normally though.

P.s. As a small note, the SampleConsoleServer example as well as the server tutorial suggest to use 0 to mark the default keysize:

keySizes = new int[] { 0, 4096 };
No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
15 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 730

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

rondawolinski7, Marypof5711, roycedelargie91, kourtneyquisenbe, ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1