sockets-for-pcl icon indicating copy to clipboard operation
sockets-for-pcl copied to clipboard

Published 20 hours ago verified publisher icon rdavisau

Allow TLS to have custom server validation

Open cskardon opened this issue 9 years ago • 5 comments

Hi,

I'd like to be able to pass in a custom ServerValidationCallback to the ConnectAsync method - so I can validate certificates in another way. Specifically for test scenarios - so (as an example):

var client = new TcpSocketClient();
await client.ConnectAsync("localhost", 8888, true,  (sender, cert, chain, sslPolicy) => CustomValidationCallback(sender, cert, chain, sslPolicy));
/* Blah */

private bool ServerValidationCallback (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) 
{ 
    return true; 
 }

Would you be amenable to this? (or am I missing something fundamental!??!) If so let me know and I'll pull together a pull request... My main issue is that I can't build all the projects as I don't have Xamarin so I can't confirm I'd have it done for all the projects....

Cheers

cskardon avatar Jan 28 '16 14:01 cskardon

Howdy - I'm definitely open to a custom validation callback; the challenge is that in order to get it into the API it needs to be able to apply to both the .NET and WinRT platforms. TLS support was provided by a contributor, so I'm not familiar with the mechanisms for WinRT off the top of my head. I'll take a look, but if if doesn't line up nicely, it may require you to write the validation code in your platform project/s to achieve the same.

Alternatively, for a common case (like disabling validation as you mentioned), it might be possible to surface this at the API level (rather than give the user the ability to write it themselves);

I'll look into it! :thought_balloon:

rdavisau avatar Jan 30 '16 22:01 rdavisau

Hullo!

That's great news, I believe both .NET and RT can cope with byte arrays etc, and in essence that's all the X509Certificate is - a collection of byte arrays. From a 'personal usage' point of view, I'm actually interested in getting the Hash of a given certificate, for some custom validation required (which is just a string in this case). But I'm wary of putting a pull request in that caters for just my view.

Equally - I'm not sure how far to take it, and what best fits in with your style/code.. My current thought would be to have an 'IX509Certificate' which is in essence a wrapper around the certificate, but in a friendly way that only requires the basic .NET types, something like:

public class SocketsX509Certificate : IX509Certificate {
    public string Hash { get; set; }
    /* More */
}

and having the custom validation use that instead.

I'll be honest, I'm not 100% au fait with how well that could work, or if it's practical (also I've typed in properties above which are purely from memory, and would be different in reality!)

cskardon avatar Feb 01 '16 08:02 cskardon

Hi

Was any more consideration put into this, I could do with this too or perhaps just an IgnoreSLLErrors flag for debugging ?

thanks

mannyvw avatar Apr 18 '16 15:04 mannyvw

I would also be very interested on this. I am planning to use library to talk with Chromecasts and they have invalid SSL certificates

Tapanila avatar Aug 30 '16 17:08 Tapanila

Bump

gcadmes avatar Dec 16 '16 15:12 gcadmes