SSL problem when database user requires X509

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for MySQL
Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Thu 09 Dec 2010 11:00

Sumit, I have forwarded your request to our sales department.

Devart
Site Admin
Posts: 3974
Joined: Tue 26 Oct 2004 13:51

Post by Devart » Thu 09 Dec 2010 13:53

Hello,

We have just resent you upgrade information.

For further assistance please contact our sales team.

Regards,
Devart Support

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Tue 25 Jan 2011 01:10

Thanks for getting us the upgraded version of the drivers.

Unfortunately, the problem still appears on Windows 7/2008 when the database requires X509. We are unable to connect to the database from the web process if the windows services start first thus creating the original problem with file permissions. Any suggestions?

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Tue 25 Jan 2011 17:55

Please give us the following information:
1) the exact text of the error you are getting now. Does it occur on openning connection?
2) your current version of your dotConnect for MySQL (x.xx.xx). You can find it in the Tools > MySQL > About menu of Visual Studio;
3) the exact version, edition, and capacity of your operating systems (Windows 7 and Windows Server 2008);
4) the versions of your IIS and used ASP.NET.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Wed 26 Jan 2011 02:11

1. Exception Details

Couldn't acquire crypto service provider context.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException:
Couldn't acquire crypto service provider context.

Source Error:

An unhandled exception was generated during the execution of the current web
request. Information regarding the origin and location of the exception can be
identified using the exception stack trace below.

Stack Trace:


[CryptographicException: Couldn't acquire crypto service provider context.]
Devart.Security.SSL.f.a(IAsyncResult A_0) +203
Devart.Security.SSL.f.a(Byte[] A_0, Int32 A_1, Int32 A_2, SocketFlags A_3)
+67
Devart.Security.SSL.y.a(Byte[] A_0, Int32 A_1, Int32 A_2) +21
Devart.Common.ak.a(Byte[] A_0, Int32 A_1, Int32 A_2) +49
Devart.Common.s.d(Byte[] A_0, Int32 A_1, Int32 A_2) +60

[MySqlException (0x80004005): Can't connect to MySQL server on 'localhost'
(10061): Authentication failed.]
Devart.Data.MySql.v.a(String A_0, String A_1, String A_2, String A_3, Int32
A_4, String A_5, Int32 A_6, SshOptions A_7, SslOptions A_8, ProxyOptions A_9,
MySqlHttpOptions A_10, HttpOptions A_11) +3694
Devart.Data.MySql.MySqlInternalConnection.Connect(MySqlConnection owner,
String userId, String password, String host, String database, Int32 port, Int32
connectionTimeout, MySqlProtocol protocol, Boolean compress, Boolean
clientInteractive) +650
Devart.Data.MySql.MySqlInternalConnection..ctor(p connectionOptions,
MySqlConnection owner) +113
Devart.Data.MySql.as.a(u A_0, Object A_1, DbConnectionBase A_2) +68
Devart.Common.DbConnectionFactory.a(DbConnectionPool A_0, u A_1,
DbConnectionBase A_2) +88
Devart.Common.DbConnectionPoolGroup.a(DbConnectionPool A_0, DbConnectionBase
A_1) +22
Devart.Common.DbConnectionPool.a(DbConnectionBase A_0) +45
Devart.Common.DbConnectionPool.GetObject(DbConnectionBase owningConnection)
+523
Devart.Common.DbConnectionFactory.a(DbConnectionBase A_0) +202
Devart.Common.DbConnectionClosed.Open(DbConnectionBase outerConnection) +138
Devart.Common.DbConnectionBase.Open() +149


2. Devart.Data.MySql version: 6.0.58.0

3. It is a dual core, 4GB RAM Windows 2008 64 bit machine. We saw the problem on Windows 7 Pro 64 bit machine as well.

4. IIS 7.0 (and IIS 7.5), ASP.Net 3.5

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Fri 28 Jan 2011 17:29

sumit, could you please make sure that it is the 6.0.58 version of Devart.Data.MySql.dll that is loaded to the process of your application? Maybe, it still uses the previous version of our assembly. Notify us about the results. I cannot reproduce the problem at the moment.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Fri 28 Jan 2011 19:44

We did more testing here. The problem shows up on Windows 2008 Standard 64bit and 32bit, Windows XP OS (possibly other operating systems) even without client SSL requirements.

Just enable SSL and the web process will run into problems, if you start a windows service that connects to the database before the web process.

I must insist that this is very important for us to get this thing resolved as soon as possible on Windows 2003, XP, Windows7 and 2008. 32 bit and 64 bit.

Please let me know what else you require from us. Thanks.

Here is the stack trace:

[CryptographicException: Couldn't acquire crypto service provider context.]
Devart.Security.SSL.f.a(IAsyncResult A_0) +203
Devart.Security.SSL.f.a(Byte[] A_0, Int32 A_1, Int32 A_2, SocketFlags A_3)
+67
Devart.Security.SSL.y.a(Byte[] A_0, Int32 A_1, Int32 A_2) +21
Devart.Common.ak.a(Byte[] A_0, Int32 A_1, Int32 A_2) +49
Devart.Common.s.d(Byte[] A_0, Int32 A_1, Int32 A_2) +60

[MySqlException (0x80004005): Can't connect to MySQL server on 'tp78' (10061):
Authentication failed.]
Devart.Data.MySql.v.a(String A_0, String A_1, String A_2, String A_3, Int32
A_4, String A_5, Int32 A_6, SshOptions A_7, SslOptions A_8, ProxyOptions A_9,
MySqlHttpOptions A_10, HttpOptions A_11) +3694
Devart.Data.MySql.MySqlInternalConnection.Connect(MySqlConnection owner,
String userId, String password, String host, String database, Int32 port, Int32
connectionTimeout, MySqlProtocol protocol, Boolean compress, Boolean
clientInteractive) +650
Devart.Data.MySql.MySqlInternalConnection..ctor(p connectionOptions,
MySqlConnection owner) +113
Devart.Data.MySql.as.a(u A_0, Object A_1, DbConnectionBase A_2) +68
Devart.Common.DbConnectionFactory.a(DbConnectionPool A_0, u A_1,
DbConnectionBase A_2) +88
Devart.Common.DbConnectionPoolGroup.a(DbConnectionPool A_0, DbConnectionBase
A_1) +22
Devart.Common.DbConnectionPool.a(DbConnectionBase A_0) +45
Devart.Common.DbConnectionPool.GetObject(DbConnectionBase owningConnection)
+530
Devart.Common.DbConnectionFactory.a(DbConnectionBase A_0) +202
Devart.Common.DbConnectionClosed.Open(DbConnectionBase outerConnection) +138
Devart.Common.DbConnectionBase.Open() +149
Devart.Data.MySql.MySqlConnection.Open() +209

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Fri 28 Jan 2011 19:46

Correct version of the assemblies are getting loaded:

Loaded Assembly from GAC: "Devart.Data.MySql, Version=6.0.58.0, Culture=neutral, PublicKeyToken=09af7300eec23701". Location: C:\Windows\assembly\GAC_MSIL\Devart.Data.MySql\6.0.58.0__09af7300eec23701\Devart.Data.MySql.dll

Loaded Assembly from GAC: "Devart.Data, Version=5.0.159.0, Culture=neutral, PublicKeyToken=09af7300eec23701". Location: C:\Windows\assembly\GAC_MSIL\Devart.Data\5.0.159.0__09af7300eec23701\Devart.Data.dll

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Tue 01 Feb 2011 21:54

We need this issue resolved asap as we are really closed to you release date.

It is the same issue. The web process (running as "Network Service") has no access on the file "9662578eb35f925aaa97e4941ca3d838_0d9c1178-8c0b-4510-8b36-8b990674bf28" in "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" when the file is not created by the web process.

On a fresh machine, if the component that runs as a windows service starts before the web service, the file is created by the windows service instead of the web service with limited permissions and the web process fails to read it.

All you need is SSL enabled (no client certs, no ca certs) to reproduce this problem.

Please update as soon as possible.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Wed 02 Feb 2011 00:36

How is the key generated that is used to encrypt the data in SSL mode? Are you using some predefined hard coded key?

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Wed 02 Feb 2011 18:15

1. We have reproduced the problem with SSL connection and Windows Service. We will investigate it and notify you about the results as soon as possible.
2. The key is generated dynamically (not predefined hard coded).

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Wed 02 Feb 2011 19:35

Thanks. We are waiting for a quick response.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Thu 03 Feb 2011 15:05

We have fixed the problem. A separate key will be created for every Windows account starting from the next build of dotConnect for MySQL. We are planning to release the new buld in a week. Does this timeframe meet your requirements?

As a temporary workaround, please modify security permissions on the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9662578eb35f925aaa97e4941ca3d838_f9c7516d-7207-4fb5-a07c-13f1fe8986b5 file manually via its Properties > Security tab after it is created by your Windows Service: set the current owner to your current Windows user or Everyone, save properties and re-open the Properties window (the Security tab), set a new user - Everyone, and grant a full control to it.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Mon 07 Feb 2011 20:37

Shalex,

Thanks for the update. We are aware of the workaround but since we do not manage installations for our customers, it becomes support burden for us.

We are discussing whether we want to introduce a new version of the drivers this late in the release cycle. In any case, please update once you have the new version so that we can at least start testing it.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Thu 10 Feb 2011 14:14

New build of dotConnect for MySQL 6.10.103 is available for download now!
It can be downloaded from http://www.devart.com/dotconnect/mysql/download.html (trial version) or from Registered Users' Area (for users with valid subscription only): http://secure.devart.com/ .
For more information, please refer to http://www.devart.com/forums/viewtopic.php?t=20225 .

Post Reply