More from the broken SslStream 12/10/2012 1:37:00 PM

As mentioned, I've been fighting with this stream for the last week or so.

 

12:31:41:4782 !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The specified data could not be decrypted
--- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at Fiddler.ClientPipe.SecureClientPipeDirect(X509Certificate2 certServer) in C:\src\Fiddler2\Common\Core\PipeClient.cs:line 16

+ Comment
Eric @ 67.79.7.98 Conclusion: This is what happens if the Private Key in the RSACryptoServiceProvider changes on disk. When the LSASS.EXE process tries to complete the HTTPS handshake (this is always out-of-process to your application), it finds that the private key is unable to decrypt the data sent by the client, which was encrypted using the original private key. Lesson learned: While it's called a KeyContainer, it can only hold ONE exchange key at a time. If you want multiple keys (e.g. for multiple certificates) you need multiple containers.


< Eric's Blog Home


©1998-2020 Eric Lawrence