SSL Connection Error

[marks]

I haven't gotten a response from support so I'll try here.
I'm trying to connect to MySQL Server 5.6 using SSL and .pem files similar to the devart docs example code. My app is an asp.net HttpHandler that connects to mysql. I am getting this error:
SSL connection error (2026): Cannot load client private key.
The inner exception says:
Devart.Security.v
Exception: Could not import the private key from the PVK file.

The docs show an example that uses .pem files for the certificates like this:

Code: Select all

myConn.SslOptions.CACert = "file://D:\\Temp\\CA-cert.pem";
myConn.SslOptions.Cert = "file://D:\\Temp\\SSL-client-cert.pem";
myConn.SslOptions.Key = "file://D:\\Temp\\SSL-client-key.pem";

My .pem files work ok when I use them to connect to the MySQL server from a MySQL command prompt, so I think the certificates are ok. I specify the path to my certs in the c# code and it seems they are being found, but I get the error about importing the private key.

Since the error message says it could not import from a .pvk file- do I need to have the client cert and key in a different format?

I'm using:
Windows 8.1, VS2012, IIS 8.5, dotConnect 8.2.80, MySQL v 5.6, Asp.Net v4.

Here is the stack trace:
Exception Type: Devart.Data.MySql.MySqlException
Exception: SSL connection error (2026):
Cannot load client private key.
Source: Devart.Data.MySql
Stack Trace: at Devart.Data.MySql.s.a(String A_0, String A_1, String A_2, String A_3, Int32 A_4, String A_5, Int32 A_6, SshOptions A_7, SslOptions A_8, ProxyOptions A_9, MySqlHttpOptions A_10, HttpOptions A_11)
at Devart.Data.MySql.MySqlInternalConnection.Connect(MySqlConnection owner, String userId, String password, String host, String database, Int32 port, Int32 connectionTimeout, MySqlProtocol protocol, Boolean compress, Boolean clientInteractive)
at Devart.Data.MySql.ay.a(as A_0, Object A_1, DbConnectionBase A_2)
at Devart.Common.DbConnectionFactory.a(DbConnectionPool A_0, as A_1, DbConnectionBase A_2)
at Devart.Common.DbConnectionPool.a(DbConnectionBase A_0)
at Devart.Common.DbConnectionPool.GetObject(DbConnectionBase owningConnection)
at Devart.Common.DbConnectionFactory.b(DbConnectionBase A_0)
at Devart.Common.DbConnectionClosed.Open(DbConnectionBase outerConnection)
at Devart.Common.DbConnectionBase.Open()
at Devart.Data.MySql.MySqlConnection.m()
-snip-
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--Inner Exception: Devart.Security.v
Exception: Could not import the private key from the PVK file.
Source: Devart.Data.MySql
Stack Trace: at Devart.Security.ae.a(Byte[] A_0)
at Devart.Security.ae.h(String A_0)
at Devart.Common.ao.a(String A_0, String A_1)

[Pinturiccio]

We could not reproduce the issue. Please try perfoming this code with another set of client certificates ca-cert.pem, client-cert.pem, and client-key.pem to find out the reason of the issue. If you don't have another set of of client certificates, you can use the certificates that we have sent you by email. Please check whether you get the same error with another set of of client certificates.

Please also create a simple console application that connects to your server via SSL and tell us the results of performing your application with your client certificates and with other client certificates.

[marks]

I tried using the .pem files you sent and got the same results. I just now tried copying the app over to my Win7 machine and ran it there and it worked (using my .pem files). So it seems the same code works on Windows 7 but not on Windows 8.1. My app is an asp.net httphandler so it could also be related to the IIS version. Here are the versions from my two machines:

• Windows 8.1 Pro 64bit, version 6.3.9600
  VS2012 Pro version 11.0.61030.00 Update 4
  IIS 7.5
  .Net Framework Version 4.5.51641
  
  Windows 7 Ultimate 64bit Version 6.1.7601
  VS2012 Pro version 11.0.61030.00 Update 4
  IIS 8.5
  .Net Framework Version 4.5.50709
  
  The project targets .Net Framework 4.

I'll try to create a console app soon to test on both machines. I wonder if it is a security-related problem involving IIS and the app pool identity.

[marks]

I created a console app and used my certificates. When I run the app in debug mode inside VS2012, I get the same error as before "Cannot load client private key". If I open a command prompt and run this same console exe located in the projects bin\debug directory, it is able to connect over SSL without errors. This is on Windows 8.1.

So the console app exe works running outside VS2012, but not within the IDE in debug mode. Are you able to reproduce this?

[Pinturiccio]

Please try performing the following:
1. Open the C:\Users\<windows user name>\AppData\Roaming\Microsoft\Crypto\RSA folder, (substitute your Windows user name for <windows user name>);
2. Remove all the files in this folder;
3. Restart your application. Does it work?
4. If no, please check which folders are created in the RSA folder, and access rights of users, that run Visual Studio and IIS, to these folders.

[marks]

I tried deleting the contents of my user RSA folder, but still got the same error.
I'm running VS2012 as Administrator. I tried running ProcessMonitor and looking for 'Access Denied' results but didn't see any.

I'm running the app using the IIS DefaultAppPool which is configured to run with identity 'AppPoolIdentity'. While looking at the Advanced Settings for this app pool in IIS Manager, I tried setting 'Enable 32-Bit Applications' to True. This fixed the problem, the app will run in the VS2012 debugger and connect over SSL.

It seems like I shouldn't have to do this though, since I'm on a 64bit machine. It works on my 64bit Win7 machine without needing to set the app pool to 'enable 32 bit'. I have openssl light 1.0.1e on the Win7 machine, and 1.0.1f on the Win8 machine.

[Pinturiccio]

We have reproduced the issue. We will investigate it and post here about the results as soon as possible.

[Pinturiccio]

We have fixed the bug with ssl connections in x64 applications. We will post here the corresponding build of dotConnect for MySQL is available for download.

[marks]

Ok, thanks for the update.

[Pinturiccio]

New build of dotConnect for MySQL 8.2.103 is available for download now!
It can be downloaded from http://www.devart.com/dotconnect/mysql/download.html (trial version) or from Registered Users' Area (for users with valid subscription only).
For more information, please refer to http://forums.devart.com/viewtopic.php?t=28966