Windows 8 Phone Client Certificate HTTPS authentic

2019-03-15 18:52发布

问题:

I am trying to access a secure HTTPS server using client certificate from a Windows 8 Phone app I am developing. This does not work at all which has has made me try to access the HTTPS server from the standard web browser where it does not work either. I do not know if Internet Explorer can handle client certificates or not. If it does not handle them I would be very interested in some sample code for c# .NET that works on Windows 8 Phone and that is able to provide a client certificate to the web service over HTTPS. The certificate used must be stored in the Windows 8 Phone certificate store.

It Just does not work for me, neither from the app I built nor from Internet Explorer. I have set up Client Authentication in Apache like the following:

<VirtualHost _default_:443>
DocumentRoot /var/www/htdocs
ServerName norrweb
ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
#SSLCACertificatePath    /var/www/conf/ssl.crt
SSLCACertificateFile    /var/www/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient require
SSLVerifyDepth  10
</VirtualHost>

This works great, in OSX I can chose my client certificate issues by the CA specified in SSLCACertificateFile which contains a self-signed Root CA and an intermediate CA that has in turn signed the client certificate I am using on my mac.

I have installed the Root CA, the Intermediate CA and the client CA on a Windows 8 Phone (Nokia Lumia 900). The phone told me for each certificate that it was successfully installed. To me it seem like if the phone never sends any certificate to the server. Is there a need to specify which certificate to be used for which server?

The following can be read in error_log for Apache:

# tail -f /var/www/logs/error_log                                                                                                                                  
[Tue Mar 12 23:46:30 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:46:30 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:48:45 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:48:45 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:48:45 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:48:45 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:52:23 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:52:23 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
[Tue Mar 12 23:52:23 2013] [error] mod_ssl: SSL handshake failed (server norrweb:443, client 10.0.83.232) (OpenSSL library error follows)
[Tue Mar 12 23:52:23 2013] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]

The following can be seen in Wireshark

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    10.0.83.232           10.0.83.132           TCP      66     49160 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      2 0.000177000    10.0.83.132           10.0.83.232           TCP      66     https > 49160 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=8

Frame 2: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      3 0.004240000    10.0.83.232           10.0.83.132           TCP      60     49160 > https [ACK] Seq=1 Ack=1 Win=262144 Len=0

Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      4 0.006430000    10.0.83.232           10.0.83.132           TLSv1    162    Client Hello

Frame 4: 162 bytes on wire (1296 bits), 162 bytes captured (1296 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 1, Ack: 1, Len: 108
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 103
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 99
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 0
            Cipher Suites Length: 24
            Cipher Suites (12 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 34
            Extension: renegotiation_info
            Extension: status_request
            Extension: elliptic_curves
            Extension: ec_point_formats
            Extension: SessionTicket TLS

No.     Time           Source                Destination           Protocol Length Info
      5 0.006753000    10.0.83.132           10.0.83.232           TLSv1    1086   Server Hello, Certificate, Certificate Request, Server Hello Done

Frame 5: 1086 bytes on wire (8688 bits), 1086 bytes captured (8688 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 1, Ack: 109, Len: 1032
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 53
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 49
            Version: TLS 1.0 (0x0301)
            Random
            Session ID Length: 0
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Compression Method: null (0)
            Extensions Length: 9
            Extension: renegotiation_info
            Extension: SessionTicket TLS
    TLSv1 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 810
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 806
            Certificates Length: 803
            Certificates (803 bytes)
    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 154
        Handshake Protocol: Certificate Request
            Handshake Type: Certificate Request (13)
            Length: 146
            Certificate types count: 3
            Certificate types (3 types)
            Distinguished Names Length: 140
            Distinguished Names (140 bytes)
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

No.     Time           Source                Destination           Protocol Length Info
      6 0.035066000    10.0.83.232           10.0.83.132           TLSv1    387    Certificate, Client Key Exchange, Change Cipher Spec, Finished

Frame 6: 387 bytes on wire (3096 bits), 387 bytes captured (3096 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 109, Ack: 1033, Len: 333
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 269
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 3
            Certificates Length: 0
        Handshake Protocol: Client Key Exchange
            Handshake Type: Client Key Exchange (16)
            Length: 258
            RSA Encrypted PreMaster Secret
    TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.0 (0x0301)
        Length: 1
        Change Cipher Spec Message
    TLSv1 Record Layer: Handshake Protocol: Finished
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 48
        Handshake Protocol: Finished
            Handshake Type: Finished (20)
            Length: 12
            Verify Data

No.     Time           Source                Destination           Protocol Length Info
      7 0.035543000    10.0.83.132           10.0.83.232           TLSv1    61     Alert (Level: Fatal, Description: Handshake Failure)

Frame 7: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 1033, Ack: 442, Len: 7
Secure Sockets Layer
    TLSv1 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.0 (0x0301)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

No.     Time           Source                Destination           Protocol Length Info
      8 0.037140000    10.0.83.132           10.0.83.232           TCP      54     https > 49160 [FIN, ACK] Seq=1040 Ack=442 Win=17520 Len=0

Frame 8: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 1040, Ack: 442, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      9 0.037374000    10.0.83.232           10.0.83.132           TCP      60     49160 > https [FIN, ACK] Seq=442 Ack=1040 Win=260864 Len=0

Frame 9: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 442, Ack: 1040, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     10 0.037491000    10.0.83.132           10.0.83.232           TCP      54     https > 49160 [FIN, ACK] Seq=1040 Ack=443 Win=17520 Len=0

Frame 10: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49160 (49160), Seq: 1040, Ack: 443, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     11 0.038866000    10.0.83.232           10.0.83.132           TCP      66     49161 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1

Frame 11: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49161 (49161), Dst Port: https (443), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     12 0.038987000    10.0.83.132           10.0.83.232           TCP      66     https > 49161 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=8

Frame 12: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49161 (49161), Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     13 0.042720000    10.0.83.232           10.0.83.132           TCP      60     49160 > https [ACK] Seq=443 Ack=1041 Win=260864 Len=0

Frame 13: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49160 (49160), Dst Port: https (443), Seq: 443, Ack: 1041, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     14 0.045063000    10.0.83.232           10.0.83.132           TCP      60     49161 > https [ACK] Seq=1 Ack=1 Win=262144 Len=0

Frame 14: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49161 (49161), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     15 0.046585000    10.0.83.232           10.0.83.132           SSLv3    112    Client Hello

Frame 15: 112 bytes on wire (896 bits), 112 bytes captured (896 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49161 (49161), Dst Port: https (443), Seq: 1, Ack: 1, Len: 58
Secure Sockets Layer
    SSLv3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 53
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 49
            Version: SSL 3.0 (0x0300)
            Random
            Session ID Length: 0
            Cipher Suites Length: 10
            Cipher Suites (5 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)

No.     Time           Source                Destination           Protocol Length Info
     16 0.047039000    10.0.83.132           10.0.83.232           SSLv3    1113   Server Hello, Certificate, Certificate Request, Server Hello Done

Frame 16: 1113 bytes on wire (8904 bits), 1113 bytes captured (8904 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49161 (49161), Seq: 1, Ack: 59, Len: 1059
Secure Sockets Layer
    SSLv3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 81
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 77
            Version: SSL 3.0 (0x0300)
            Random
            Session ID Length: 32
            Session ID: f49316c9deb37720a0af8fe4bd7d3feb9a289930d502de9d...
            Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
            Compression Method: null (0)
            Extensions Length: 5
            Extension: renegotiation_info
    SSLv3 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 810
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 806
            Certificates Length: 803
            Certificates (803 bytes)
    SSLv3 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 153
        Handshake Protocol: Certificate Request
            Handshake Type: Certificate Request (13)
            Length: 145
            Certificate types count: 2
            Certificate types (2 types)
            Distinguished Names Length: 140
            Distinguished Names (140 bytes)
        Handshake Protocol: Server Hello Done
            Handshake Type: Server Hello Done (14)
            Length: 0

No.     Time           Source                Destination           Protocol Length Info
     17 0.058398000    10.0.83.232           10.0.83.132           SSLv3    397    Alert (Level: Warning, Description: No Certificate), Client Key Exchange, Change Cipher Spec, Finished

Frame 17: 397 bytes on wire (3176 bits), 397 bytes captured (3176 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49161 (49161), Dst Port: https (443), Seq: 59, Ack: 1060, Len: 343
Secure Sockets Layer
    SSLv3 Record Layer: Alert (Level: Warning, Description: No Certificate)
        Content Type: Alert (21)
        Version: SSL 3.0 (0x0300)
        Length: 2
        Alert Message
            Level: Warning (1)
            Description: No Certificate (41)
    SSLv3 Record Layer: Handshake Protocol: Client Key Exchange
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 260
        Handshake Protocol: Client Key Exchange
            Handshake Type: Client Key Exchange (16)
            Length: 256
    SSLv3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: SSL 3.0 (0x0300)
        Length: 1
        Change Cipher Spec Message
    SSLv3 Record Layer: Handshake Protocol: Finished
        Content Type: Handshake (22)
        Version: SSL 3.0 (0x0300)
        Length: 60
        Handshake Protocol: Finished
            Handshake Type: Finished (20)
            Length: 36
            MD5 Hash
            SHA-1 Hash

No.     Time           Source                Destination           Protocol Length Info
     18 0.058791000    10.0.83.132           10.0.83.232           SSLv3    61     Alert (Level: Fatal, Description: Handshake Failure)

Frame 18: 61 bytes on wire (488 bits), 61 bytes captured (488 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49161 (49161), Seq: 1060, Ack: 402, Len: 7
Secure Sockets Layer
    SSLv3 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: SSL 3.0 (0x0300)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

No.     Time           Source                Destination           Protocol Length Info
     19 0.059728000    10.0.83.132           10.0.83.232           TCP      54     https > 49161 [FIN, ACK] Seq=1067 Ack=402 Win=17520 Len=0

Frame 19: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49161 (49161), Seq: 1067, Ack: 402, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     20 0.061094000    10.0.83.232           10.0.83.132           TCP      60     49161 > https [FIN, ACK] Seq=402 Ack=1067 Win=260864 Len=0

Frame 20: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49161 (49161), Dst Port: https (443), Seq: 402, Ack: 1067, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     21 0.061351000    10.0.83.132           10.0.83.232           TCP      54     https > 49161 [FIN, ACK] Seq=1067 Ack=403 Win=17520 Len=0

Frame 21: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0
Ethernet II, Src: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a), Dst: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4)
Internet Protocol Version 4, Src: 10.0.83.132 (10.0.83.132), Dst: 10.0.83.232 (10.0.83.232)
Transmission Control Protocol, Src Port: https (443), Dst Port: 49161 (49161), Seq: 1067, Ack: 403, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     22 0.062308000    10.0.83.232           10.0.83.132           TCP      66     49162 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1

Frame 22: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Nokia_c9:bd:a4 (b0:35:8d:c9:bd:a4), Dst: Vmware_b3:cc:5a (00:0c:29:b3:cc:5a)
Internet Protocol Version 4, Src: 10.0.83.232 (10.0.83.232), Dst: 10.0.83.132 (10.0.83.132)
Transmission Control Protocol, Src Port: 49162 (49162), Dst Port: https (443), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
     23 0.062449000    10.0.83.132           10.0.83.232           TCP      66     https > 49162 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=8

[Edit] Here is some new info, I have done some future debugging using openssl s_client, see below:

imac:test jens$ openssl s_client -showcerts -connect norrweb:443 -CAfile CCRootCA.pem -prexit
CONNECTED(00000003)
depth=1 /CN=CCRootCA/C=SE/emailAddress=<mail hidden>
verify return:1
depth=0 /CN=norrweb/emailAddress=<mail hidden>
verify return:1
45636:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102:SSL alert number 40
45636:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s23_lib.c:182:
---
Certificate chain
 0 s:/CN=norrweb/emailAddress=<mail hidden>
   i:/CN=CCRootCA/C=SE/emailAddress=<mail hidden>
-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIBAjALBgkqhkiG9w0BAQswPDERMA8GA1UEAwwIQ0NSb290
<snip>
IEPe9OMviQ+yxlJKnalvha8yL5ULzYFIkRfvUZTUd8M=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=norrweb/emailAddress=<mail hidden>
issuer=/CN=CCRootCA/C=SE/emailAddress=<mail hidden>
---
Acceptable client certificate CA names
/CN=NorrIntermediateCA/C=SE/emailAddress=<mail hidden>
/CN=NorrRootCA/C=SE/emailAddress=<mail hidden>
---
SSL handshake has read 1599 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C3B4CC8BF5D88DE76E0DDEE4A24499B9F391D8B7AE93C84CE25DA58218181313
    Session-ID-ctx: 
    Master-Key: C98F2A12F7A796BD380507544A25FBEFCFEC1270F14A5705E6FFC4C841403F35C244E39F71FBA5407C27AC406D1058B7
    Key-Arg   : None
    Start Time: 1364065589
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
imac:test jens$ 

The following is printed in the log on server:

[23/Mar/2013 20:06:24 25734] [info]  Connection to child 3 established (server norrweb:443, client 10.0.83.145)
[23/Mar/2013 20:06:24 25734] [info]  Seeding PRNG with 1160 bytes of entropy
[23/Mar/2013 20:06:24 25734] [error] SSL handshake failed (server norrweb:443, client 10.0.83.145) (OpenSSL library error follows)
[23/Mar/2013 20:06:24 25734] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]

Because it prints the following I would guess the server is doing the correct thing?:

Acceptable client certificate CA names

/CN=NorrIntermediateCA/C=SE/emailAddress=

/CN=NorrRootCA/C=SE/emailAddress=

I know for sure I have installed a client certificate on the Nokia device signed by /CN=NorrIntermediateCA/C=SE/emailAddress=

Any more suggestions anyone? Is the Windows 8 Phone broken?

回答1:

I know this is late, but according to this msdn article client certificates are not supported in Windows Phone 8.



回答2:

Take a look at Frame 6. The Nokia is not sending the certificate. This corresponds to the error_log messages showing the certificate is missing: peer did not return a certificate.

I have seen this issue when the server is missing the certificate chain that issued the client certificates. I believe the error_log is saying as much: [Hint: No CAs known to server for verification?]

The server sends the client the CAs it trusts. The client sends back messages using client certs issued by those CAs.