Failing to get the client and server talk to each other

[mwahaj]

Hi,

After running the program for some time I am getting this strange error. I have even tried running the application from the Examples (https://github.com/chronoxor/CSharpServer/releases) and also compiled the SSL Client and SSL Server programs but both are giving me this error. Interesting using OpenSSL s_client command I can communicate with the SSL Server program. I haven't tweaked my machine. I am using Windows 10. Running the examples on Windows Server 2012 is not showing such errors. Here are the errors:

SSL Server
SSL server port: 2222

Service starting...Done!
Server starting...Done!
Press Enter to stop the server or '!' to restart the server...
Chat SSL session with Id 220fa7cd-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error
Chat SSL session with Id 220fa7cd-1bde-11ea-a1da-54ee753e95fb disconnected!
Chat SSL session with Id 294a79a2-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error
Chat SSL session with Id 294a79a2-1bde-11ea-a1da-54ee753e95fb disconnected!
Chat SSL session with Id 294a79a3-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error
Chat SSL session with Id 294a79a3-1bde-11ea-a1da-54ee753e95fb disconnected!
Chat SSL session with Id 294a79a4-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error
Chat SSL session with Id 294a79a4-1bde-11ea-a1da-54ee753e95fb disconnected!
Chat SSL session with Id 294a79a5-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error
Chat SSL session with Id 294a79a5-1bde-11ea-a1da-54ee753e95fb disconnected!
Chat SSL session with Id 294a79a6-1bde-11ea-a1da-54ee753e95fb connected!
Chat SSL session caught an error with code 0 and category 'asio.ssl': tlsv1 alert decrypt error

SSL Client
SSL server address: 127.0.0.1
SSL server port: 2222

Service starting...Done!
Client connecting...Done!
Press Enter to stop the client or '!' to reconnect the client...
Chat SSL client connected a new session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client caught an error with code 0 and category 'asio.ssl': invalid padding
Chat SSL client disconnected a session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client connected a new session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client caught an error with code 0 and category 'asio.ssl': invalid padding
Chat SSL client disconnected a session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client connected a new session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client caught an error with code 0 and category 'asio.ssl': invalid padding
Chat SSL client disconnected a session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client connected a new session with Id 29496880-1bde-11ea-a1da-54ee753e95fb
Chat SSL client caught an error with code 0 and category 'asio.ssl': invalid padding
Chat SSL client disconnected a session with Id 29496880-1bde-11ea-a1da-54ee753e95fb

When I run OpenSSL to connect to the server I can connect so seems some issue with the client then?
OpenSSL> s_client -connect 127.0.0.1:2222
CONNECTED(00000134)
Can't use SSL_get_servername
depth=0 C = BY, ST = Belarus, L = Minsk, O = Example server, OU = Example server unit, CN = server.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = BY, ST = Belarus, L = Minsk, O = Example server, OU = Example server unit, CN = server.example.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:C = BY, ST = Belarus, L = Minsk, O = Example server, OU = Example server unit, CN = server.example.com
i:C = BY, ST = Belarus, L = Minsk, O = Example root CA, OU = Example CA unit, CN = example.com

Server certificate
-----BEGIN CERTIFICATE-----
MIIFcTCCA1kCAQEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCQlkxEDAOBgNV
BAgMB0JlbGFydXMxDjAMBgNVBAcMBU1pbnNrMRgwFgYDVQQKDA9FeGFtcGxlIHJv
b3QgQ0ExGDAWBgNVBAsMD0V4YW1wbGUgQ0EgdW5pdDEUMBIGA1UEAwwLZXhhbXBs
ZS5jb20wHhcNMTkwNjAxMTI1MjQ0WhcNMjkwNTI5MTI1MjQ0WjCBgzELMAkGA1UE
BhMCQlkxEDAOBgNVBAgMB0JlbGFydXMxDjAMBgNVBAcMBU1pbnNrMRcwFQYDVQQK
DA5FeGFtcGxlIHNlcnZlcjEcMBoGA1UECwwTRXhhbXBsZSBzZXJ2ZXIgdW5pdDEb
MBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAtdVvGlBsP+78L+bpRgvPdti+AVgM1JCMP7mOHvv3m+x0gIp1
j/Sg/S0h/leYsPu7H2k5xv41Y4fmWPX7u0xPLdI+/u1zHHc6IGEaM0aEddEruDUr
QcQt+h62c/nIJ+tcXuSHrTZREbczZq4gm7exvAuvYd0B/lg2kXLQ9Y7eqShhKPtH
B6a5YH2snJWJbk8E9WVwem37nrH5DJ99/q+hQHl9rdrP03KAEIbMLGgo3r2YuOoa
7qoywusyH9xMpWzDt0QhXxhfmWnSNyZG8ztfoXt6TDTZQ2HD/H/dZlt3skgJAWcU
tlF4l0tZ55495SC4ozFyk84tNJPBD/QkRYmn3GfJ1zHgdFru+H2qYHJv5B4ssUbS
cPkXwcsASci/JiyIbhPzOpbpCTUGX3OAMBKIFtxJNKmHeosftR9I97dNfJZCCiC7
k5NL8GaTw0484tLqfuH1bOmUULsfLaEj6rsiXLz9uB8T16/K9pKf2LIB++eCEU71
S4n6BHyiH09uL1KZ0msc5beggUiUglCUYy31aIFuZl/wCuH8GJZv0kepAWLIL23h
PwpzS5o+tZHefwS//qG8mcy7a+NcLlIsLNPRVToYmlcNnfeAxcDqwRm2GKfAY4i7
CUt4vgyEGbFxBNsh6ozTkd9tE3qkRtpMRKcX3ZQmYJNjEOl7XCnUk9SLMOECAwEA
ATANBgkqhkiG9w0BAQsFAAOCAgEAC/W9uU6zNgUzoxP3qCIXgpPPItKzkbQArXK9
MNqWnBM+ccUbaGCUMG/i5dmfT2YeTMC72Z71xb6QznFJHXOuKKVPzLNwVuIR/xwE
j3BeQkUZ33Kf8TUxz5owHV9Px944KiEwhIOyPjgbG9WPL5IsXMBMLZi4EAVOza7T
lqykOfgV2kwFEOPD4Sz2bYOxp7eNu+cQAMf/COQrMC2L97OtcrquipRAaY2rxb3Z
pD8r3ymRs14K5rf6LTUrxrCIeZewxLyX8FedBZPCUCRLb7lsu1r7OHtbt+xUy+7i
KtmEqgLpJ9Iu8xK4rf8ReLkgT5SownaGI+ddYdyB5aiR2DgLXKxGQZ6l6sznkzDk
X2UZAtzhTxRaZ8wHMmR5z7q/F8EM+PR0a1Y5Of+Yosv9dTERMyNosnd9EHXTbgSo
ARaPso0J9V3jXm44+qd4pHgnLr7SOp3B5Jf71yhN1p5fKYqPkbiCiZFxOXO3s5z6
+4247z7ZCD7k9UMqKflj4eLQD+OnTJ6VFyrovTQnjCsbTsEmI1S8arvAEosAX5GU
vR05YZnEO9rEzOSh9tBuuht8woK5tQpLQwksgOiQATcZCN/ioz1SmyrRIfwEBh66
MB4SMwGjiaARsWhV+iEpS8mwvI1WtX/4Xgo7NropbFyIuJsZsmvDfuffqp9Z8f/b
kYDiTio=
-----END CERTIFICATE-----
subject=C = BY, ST = Belarus, L = Minsk, O = Example server, OU = Example server unit, CN = server.example.com

issuer=C = BY, ST = Belarus, L = Minsk, O = Example root CA, OU = Example CA unit, CN = example.com

---

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 2278 bytes and written 386 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8D587C1E206658B60AEBE0B1DB2F4477777B83058AB3EF44215F9C2242F4CC5E
Session-ID-ctx:
Master-Key: 0C755B81BC3A1A0621E0AABC35CE87F523077E390FEC2A66DDC7D524BFEAC1D6653B941AB13D8FA71CBFAE8341B3FD13
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 8d 11 9f 4c e3 dc ad df-e2 73 d6 7e c4 95 f7 e0 ...L.....s.....
0010 - c2 7e 17 d4 56 75 29 f2-a8 a8 fe 57 98 7f c2 6b ...Vu)....W...k
0020 - 4d f0 4a 7c d1 cd f3 b6-f0 21 06 36 0b 93 b9 b0 M.J|.....!.6....
0030 - a2 66 69 d3 66 7b 08 35-34 30 b7 14 70 da bb 8e .fi.f{.540..p...
0040 - 6e 32 8b 17 0d 9a 77 eb-03 51 15 c9 c2 7a a3 64 n2....w..Q...z.d
0050 - 94 84 dc 96 3f 03 36 c5-b2 ea 01 62 33 95 63 da ....?.6....b3.c.
0060 - ee f7 36 36 fb d2 6a 89-58 41 b1 c6 03 22 18 df ..66..j.XA..."..
0070 - 18 af a0 1c e1 d8 b7 36-28 59 67 c7 1b 15 63 bf .......6(Yg...c.
0080 - f0 b1 41 a1 28 01 83 01-eb 1d 96 c5 59 7b b1 d5 ..A.(.......Y{..
0090 - 08 91 e3 97 b1 1e fb 8e-79 e8 54 41 14 a1 48 d4 ........y.TA..H.

Start Time: 1576045644
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes

---

Hello from SSL chat! Please send a message or '!' to disconnect the client!dfdf
dfdf
(admin) dfdf
Also I need to know whether the code support SSL Client Authentication OR only SSL Server Authentication?

[chronoxor]

Server side SSL code in examples\SslChatServer\Program.cs:

// Create and prepare a new SSL server context             
var context = new SslContext(SslMethod.TLSV12);            
context.SetPassword("qwerty");                             
context.UseCertificateChainFile("server.pem");             
context.UsePrivateKeyFile("server.pem", SslFileFormat.PEM);
context.UseTmpDHFile("dh4096.pem");                        

Client side SSL code in 'examples\SslChatClient\Program.cs':

// Create and prepare a new SSL client context                                         
var context = new SslContext(SslMethod.TLSV12);                                        
context.SetDefaultVerifyPaths();                                                       
context.SetRootCerts();                                                                
context.SetVerifyMode(SslVerifyMode.VerifyPeer | SslVerifyMode.VerifyFailIfNoPeerCert);
context.LoadVerifyFile("ca.pem");                                                      

[chronoxor]

You may also look into the new .NET Core implementations of the TCP/SSL servers & clients - https://github.com/chronoxor/NetCoreServer

[mwahaj]

Tried NetCoreServer and I am able to run its examples and also debug its code.. Thanks a lot!
I believe for client.pfx to work its issuer must match the same issuer used in the server.pfx right?