@@ -37,6 +37,7 @@ namespace MQTTnet.Implementations | |||||
{ | { | ||||
_socket = socket ?? throw new ArgumentNullException(nameof(socket)); | _socket = socket ?? throw new ArgumentNullException(nameof(socket)); | ||||
_sslStream = sslStream; | _sslStream = sslStream; | ||||
CreateStreams(socket, sslStream); | CreateStreams(socket, sslStream); | ||||
} | } | ||||
@@ -55,8 +56,7 @@ namespace MQTTnet.Implementations | |||||
if (_options.TlsOptions.UseTls) | if (_options.TlsOptions.UseTls) | ||||
{ | { | ||||
_sslStream = new SslStream(new NetworkStream(_socket, true)); | |||||
_sslStream = new SslStream(new NetworkStream(_socket, true), false, UserCertificateValidationCallback); | |||||
await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); | await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); | ||||
} | } | ||||
@@ -97,6 +97,16 @@ namespace MQTTnet.Implementations | |||||
ReceiveStream = new BufferedStream(RawReceiveStream, BufferSize); | ReceiveStream = new BufferedStream(RawReceiveStream, BufferSize); | ||||
} | } | ||||
private bool UserCertificateValidationCallback(object sender, X509Certificate x509Certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) | |||||
{ | |||||
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0) | |||||
{ | |||||
return _options.TlsOptions.IgnoreCertificateChainErrors; | |||||
} | |||||
return false; | |||||
} | |||||
private static X509CertificateCollection LoadCertificates(MqttClientOptions options) | private static X509CertificateCollection LoadCertificates(MqttClientOptions options) | ||||
{ | { | ||||
var certificates = new X509CertificateCollection(); | var certificates = new X509CertificateCollection(); | ||||
@@ -51,7 +51,7 @@ namespace MQTTnet.Implementations | |||||
if (_options.TlsOptions.UseTls) | if (_options.TlsOptions.UseTls) | ||||
{ | { | ||||
_sslStream = new SslStream(new NetworkStream(_socket, true)); | |||||
_sslStream = new SslStream(new NetworkStream(_socket, true), false, UserCertificateValidationCallback); | |||||
ReceiveStream = _sslStream; | ReceiveStream = _sslStream; | ||||
await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); | await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); | ||||
} | } | ||||
@@ -76,6 +76,16 @@ namespace MQTTnet.Implementations | |||||
_sslStream = null; | _sslStream = null; | ||||
} | } | ||||
private bool UserCertificateValidationCallback(object sender, X509Certificate x509Certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) | |||||
{ | |||||
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0) | |||||
{ | |||||
return _options.TlsOptions.IgnoreCertificateChainErrors; | |||||
} | |||||
return false; | |||||
} | |||||
private static X509CertificateCollection LoadCertificates(MqttClientOptions options) | private static X509CertificateCollection LoadCertificates(MqttClientOptions options) | ||||
{ | { | ||||
var certificates = new X509CertificateCollection(); | var certificates = new X509CertificateCollection(); | ||||
@@ -24,6 +24,7 @@ namespace MQTTnet.Implementations | |||||
public MqttTcpChannel(StreamSocket socket) | public MqttTcpChannel(StreamSocket socket) | ||||
{ | { | ||||
_socket = socket ?? throw new ArgumentNullException(nameof(socket)); | _socket = socket ?? throw new ArgumentNullException(nameof(socket)); | ||||
CreateStreams(); | CreateStreams(); | ||||
} | } | ||||
@@ -48,8 +49,13 @@ namespace MQTTnet.Implementations | |||||
if (!_options.TlsOptions.CheckCertificateRevocation) | if (!_options.TlsOptions.CheckCertificateRevocation) | ||||
{ | { | ||||
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain); | |||||
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing); | _socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing); | ||||
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.Revoked); | |||||
} | |||||
if (_options.TlsOptions.IgnoreCertificateChainErrors) | |||||
{ | |||||
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain); | |||||
} | } | ||||
await _socket.ConnectAsync(new HostName(_options.Server), _options.GetPort().ToString(), SocketProtectionLevel.Tls12); | await _socket.ConnectAsync(new HostName(_options.Server), _options.GetPort().ToString(), SocketProtectionLevel.Tls12); | ||||
@@ -8,6 +8,8 @@ namespace MQTTnet.Core.Client | |||||
public bool CheckCertificateRevocation { get; set; } | public bool CheckCertificateRevocation { get; set; } | ||||
public bool IgnoreCertificateChainErrors { get; set; } | |||||
public List<byte[]> Certificates { get; set; } | public List<byte[]> Certificates { get; set; } | ||||
} | } | ||||
} | } |