MS-Mice DTLS Handshake fails after Flight 4

R2G2 1 Reputation point
2022-12-02T12:16:27.093+00:00

Hi,
I am having trouble performing the DTLS handshake as part of stream encryption in Ms-Mice. After Flight 4 (ref: RFC6347): which includes: ServerHello, Certificate, ServerKeyExchange, CertificateRequest and ServerHelloDone the client closes the socket. I am not able to find any useful information in Event Viewer. Tried a couple of certificate types without any luck. Tried using the same certificate parameters as used in a successful connection between two windows laptops as well (ecdsa-with-sha1). I am assuming that the certificates can be self signed as I read this in an other forum post. Are there more debugging tools I can use? Are there more requirements to the certificates other than that stated in the documentation?
Update:
Found " [CERT_TRUST_IS_UNTRUSTED_ROOT] true" in the CAPI2 event logs. Should the certificate be signed?

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
42 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    2022-12-07T18:45:12.12+00:00

    Hi @R2G2
    I need more info on your inquiry. Can you please send an email to dochelp at microsoft dot com to my attention so that we can communicate over email?

    Regards,
    Obaid Farooqi -MSFT

    0 comments No comments

  2. R2G2 1 Reputation point
    2023-01-20T17:24:08.5533333+00:00

    Self-signed certificates are indeed allowed. The reason the windows client closed the socket was due to the certificateRequest message. This message is optional, but should not be used in this case. In OpenSSL this is simply done by setting mode = SSL_VERIFY_NONE using SSL_CTX_set_verify.

    0 comments No comments

  3. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    2023-01-20T17:54:22.7033333+00:00

    Forum update:

    I worked with the R2G2 via email and this issue is now resolved.

    The problem was that R2G2's server was sending certificate request which Windows DTLS server does not. Removing certificate request resolved the issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.