topic - SSL/TLS handshake from.NET to APNs-remote certificate is invalid



the push notification topic in the certificate is incorrect (1)

The challenge here is to find which requirements are not being met. You can use this: https://github.com/rodneyviana/blogdemos/blob/master/TestServerCertificate.zip

  • Unzip it anywhere. Make sure the application is unblocked (right-click, properties and check Unblock if present)
  • Open a command prompt as administrator
  • Run this to get into the system user context: c:\sysinternals\PsExec -i -s cmd.exe
  • In the new prompt window, move to the folder where you extracted the tool
  • Run using this syntax: TestServerCertificate [host] [port]
  • This will save a log file and the certificates from the certificate chain to a temp folder.

See example below:

c:\tools>whoami
nt authority\system

c:\tools>TestServerCertificate.exe www.microsoft.com 443
Verify Certificate Details
==========================


Writing logs to C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log

c:\tools>notepad C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\output.log

This is the actual log from the command above (no errors, of course):

Getting certificate from www.microsoft.com 443
TLS Protocol: Tls12
Strength 256

Certificate at www.microsoft.com

Thumbprint: 8FBE50987D59F8C023492162238250C2ED18176A
Subject: CN=www.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Friendly Name: 
Issuer name: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Valid until: 1/16/2020 3:24:02 PM
Certificate is valid: True
Number of extensions: 10

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\certificate_8FBE50987D59F8C023492162238250C2ED18176A.cer

WARNING: Certificate was not found in any location store

Chain Information
=================
Chain revocation flag: ExcludeRoot
Chain revocation mode: Online
Chain verification flag: NoFlag
Chain verification time: 8/11/2018 1:57:30 AM
Chain status length: 0
Chain application policy count: 0
Chain certificate policy count: 0 

Chain Element Information
Number of chain elements: 3


Intermediate Certificate
==============================================

Element thumbprint: 8A38755D0996823FE8FA3116A277CE446EAC4E99
Element subject: CN=Microsoft IT TLS CA 4, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Friendly Name: 
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/20/2024 7:52:38 AM
Element certificate is valid: True
Element error status length: 0
Element information: 
Number of element extensions: 8

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\Intermediate_8A38755D0996823FE8FA3116A277CE446EAC4E99.cer
Information: Certificate was found installed in store(s) -  CurrentUser\CA

ROOT Certificate
==============================================

Element thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Element subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Friendly Name: DigiCert Baltimore Root
Element issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Element certificate valid until: 5/12/2025 6:59:00 PM
Element certificate is valid: True
Element error status length: 0
Element information: 
Number of element extensions: 3

Writing Certificate: C:\WINDOWS\TEMP\certchain_e9ab7362-e5ba-4adc-b47c-7f28c0eddbfc\ROOT_D4DE20D05E66FC53FE1A50882C78DB2852CAE474.cer
Information: Certificate was found installed in store(s) -  CurrentUser\AuthRoot LocalMachine\AuthRoot CurrentUser\Root LocalMachine\Root
============= End of Report =============

If the problem is not clear in the log, post it here for analysis.

I'm connecting to Apple Push Notification Service (APNs) from the .NET Framework using a SslStream. I'm connecting using the Binary Provider API. As part of the initial handshake, the SslStream does an AuthenticateAsClient on the network stream. This is the code for that:

_sslStream = new SslStream(_tcpClient.GetStream());
_sslStream.AuthenticateAsClient(_url,
    new X509CertificateCollection { _certificate },
    SslProtocols.Tls,
    true);

Where _url is the APNs hostname and _certificate the push certificate of the app. On most machines (running a version of Windows Server), this is accepted and communication can continue. However, on some machines, this will fail. This is the exact error:

The remote certificate is invalid according to the validation procedure.

The code runs as Windows Service under the Local System privileges. When the exact same code runs as command-line application under a local user, the handshake is accepted and communication can continue. Running the same command-line application under Local System using pexec -i -s causes the same error . I've checked if there are differences in the certificate stores between Local Computer and the Current User, but there are none.

A "workaround" was also tested. In this changed form, the code shown earlier was adapted to completely ignore certificates. This does exactly as you'd expect; the received certificates are not checked and communication can continue. This is what that looks like:

_sslStream = new SslStream(_tcpClient.GetStream(), false, (sender, certificate, chain, errors) => true);
_sslStream.AuthenticateAsClient(_url,
    new X509CertificateCollection { _certificate },
    SslProtocols.Tls,
    false);

Of course, disabling security is a bad idea. What could be causing the handshake to break?!





apple-push-notifications