Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
2 certificate key sizes not working anymore
July 19, 2018
19:04, EEST
Avatar
Xavier
Member
Members
Forum Posts: 43
Member Since:
March 26, 2014
sp_UserOfflineSmall Offline

Hi,

I switched from pre-3.0.0 SDK to the 3.1.4 SDK but noticed that the way I was able to handle all security modes is not working anymore.

I used the method loadOrCreateCertificate with 2 key sizes (new int[] { 2048, 4096 }) and I was able to connect using any security mode. Now it’s not working anymore.

You can reproduce the issue with the 3.1.4 SDK and the sampleConsoleServer if you change line 511 to enable the 2 keySizes :
final int[] keySizes = new int[] { 2048, 4096 };

I cannot connect with the sampleClientServer (using security mode none), I have this exception :
Different cert in CreateSessionResponse.serverCertificate and endpoints

But at the same time the documentation is still suggesting that this is the way to do it:
// If you wish to use big certificates (4096 bits), you will need to
// define two certificates for your application, since to interoperate
// with old applications, you will also need to use a small certificate
// (up to 2048 bits).

Thanks 🙂

July 20, 2018
15:33, EEST
Avatar
Heikki Tahvanainen
Moderator
Members

Moderators
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hi Xavier,

Thank you for reporting this. This is a very good observation.

Actually it seems that there has not been a change on the server side. Rather, the client side certificate validation is done more rigorously with SDK 3.0 or newer. In other words, the same issue happens also with previous server versions, but the situation is not checked by the previous client applications.

The actual issue seems to be that when there’s multiple application instance certificates, only of these will be used in the EndpointDescriptions returned by the GetEndpoints service. In this example situation, the 4096 bit certificate should be used with BASIC256SHA256 endpoints, but the GetEndpoints service always uses the 2048 bit version of application instance certificate. Fixing the issue requires most probably changes to the endpoint handling in the server side SDK.

You cannot easily disable this check from the client SDK, so until further notice there’s no easy workaround. Clients made with SDK older than 3.0 will continue to work normally though.

P.s. As a small note, the SampleConsoleServer example as well as the server tutorial suggest to use 0 to mark the default keysize:

keySizes = new int[] { 0, 4096 };
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
31 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 75

ibrahim: 75

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 709

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1465

Posts: 6252

Newest Members:

christi10l, ahamad1, Flores Frederick, ellenmoss, harriettscherer, shanonhumphreys, KupimotoblokfuB, tamhollander5, paulinafcf, bridgette18l

Moderators: Jouni Aro: 1009, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 982, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 319, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1