SSL SSPI ClientCertificate

[Bob]

I created an SSL/TLS class via SSPI and it works well.
But I have a question about client certificate. There is one server I test
with that seems to require a client certificate because its returning the
SEC_I_INCOMPLETE_CREDENTIALS error when calling InitializeSecurityContext().

If I set a client certificate it works. This is how I expected it to work.

But I tried to use the SSLStream class in .Net 2.0 for another project and
if I try and connect using that it still connects even without specifying a
client certificate.

Does anyone know why the SSLStream class does not need a client certificate
but my application using the SSPI does? Is there a way I can get around the
request without have to specify a client certificate.

Thanks

Bob

[John Banes]

Some servers request a client certificate, but are willing to continue the
connection even without one. The SSL/TLS protocol supports this sort of
thing. As a client, you just need to send an empty Certificate message
(SSL3) or a no_certificate alert (TLS) instead of a client certificate. I
know little of the SSLStream class, but that must be what it's doing.

To do this using SSPI, when you get the SEC_I_INCOMPLETE_CREDENTIALS error,
as I recall all you need to do is to call InitializeSecurityContext back
with the ISC_USE_SUPPLIED_CREDENTIALS flag. Assuming that the credential
handle you specify doesn't contain a client certificate, this tells the
schannel security package that you want to continue the handshake without
sending a client certificate.

Regards,
John

"Bob" <msg...@hotmail.com> wrote in message
news:%233t0iBc...@TK2MSFTNGP04.phx.gbl...

[Bob]

Thanks. That worked!! I don't know if I ever would have found that just by
looking at the MSDN documentation.

"John Banes" <jab...@comcast.remove.net> wrote in message
news:O%23JOnzuf...@TK2MSFTNGP03.phx.gbl...