Browse Source

Add support for ignored certificate chain errors (Self signed)

release/3.x.x
Christian Kratky 7 years ago
parent
commit
4c4539509c
5 changed files with 32 additions and 4 deletions
  1. +12
    -2
      Frameworks/MQTTnet.NetFramework/Implementations/MqttTcpChannel.cs
  2. +11
    -1
      Frameworks/MQTTnet.NetStandard/Implementations/MqttTcpChannel.cs
  3. +7
    -1
      Frameworks/MQTTnet.UniversalWindows/Implementations/MqttTcpChannel.cs
  4. BIN
     
  5. +2
    -0
      MQTTnet.Core/Client/MqttClientTlsOptions.cs

+ 12
- 2
Frameworks/MQTTnet.NetFramework/Implementations/MqttTcpChannel.cs View File

@@ -37,6 +37,7 @@ namespace MQTTnet.Implementations
{ {
_socket = socket ?? throw new ArgumentNullException(nameof(socket)); _socket = socket ?? throw new ArgumentNullException(nameof(socket));
_sslStream = sslStream; _sslStream = sslStream;

CreateStreams(socket, sslStream); CreateStreams(socket, sslStream);
} }


@@ -55,8 +56,7 @@ namespace MQTTnet.Implementations


if (_options.TlsOptions.UseTls) if (_options.TlsOptions.UseTls)
{ {
_sslStream = new SslStream(new NetworkStream(_socket, true));
_sslStream = new SslStream(new NetworkStream(_socket, true), false, UserCertificateValidationCallback);
await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false);
} }


@@ -97,6 +97,16 @@ namespace MQTTnet.Implementations
ReceiveStream = new BufferedStream(RawReceiveStream, BufferSize); ReceiveStream = new BufferedStream(RawReceiveStream, BufferSize);
} }


private bool UserCertificateValidationCallback(object sender, X509Certificate x509Certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
return _options.TlsOptions.IgnoreCertificateChainErrors;
}

return false;
}

private static X509CertificateCollection LoadCertificates(MqttClientOptions options) private static X509CertificateCollection LoadCertificates(MqttClientOptions options)
{ {
var certificates = new X509CertificateCollection(); var certificates = new X509CertificateCollection();


+ 11
- 1
Frameworks/MQTTnet.NetStandard/Implementations/MqttTcpChannel.cs View File

@@ -51,7 +51,7 @@ namespace MQTTnet.Implementations


if (_options.TlsOptions.UseTls) if (_options.TlsOptions.UseTls)
{ {
_sslStream = new SslStream(new NetworkStream(_socket, true));
_sslStream = new SslStream(new NetworkStream(_socket, true), false, UserCertificateValidationCallback);
ReceiveStream = _sslStream; ReceiveStream = _sslStream;
await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false); await _sslStream.AuthenticateAsClientAsync(_options.Server, LoadCertificates(_options), SslProtocols.Tls12, _options.TlsOptions.CheckCertificateRevocation).ConfigureAwait(false);
} }
@@ -76,6 +76,16 @@ namespace MQTTnet.Implementations
_sslStream = null; _sslStream = null;
} }


private bool UserCertificateValidationCallback(object sender, X509Certificate x509Certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0)
{
return _options.TlsOptions.IgnoreCertificateChainErrors;
}

return false;
}

private static X509CertificateCollection LoadCertificates(MqttClientOptions options) private static X509CertificateCollection LoadCertificates(MqttClientOptions options)
{ {
var certificates = new X509CertificateCollection(); var certificates = new X509CertificateCollection();


+ 7
- 1
Frameworks/MQTTnet.UniversalWindows/Implementations/MqttTcpChannel.cs View File

@@ -24,6 +24,7 @@ namespace MQTTnet.Implementations
public MqttTcpChannel(StreamSocket socket) public MqttTcpChannel(StreamSocket socket)
{ {
_socket = socket ?? throw new ArgumentNullException(nameof(socket)); _socket = socket ?? throw new ArgumentNullException(nameof(socket));

CreateStreams(); CreateStreams();
} }


@@ -48,8 +49,13 @@ namespace MQTTnet.Implementations


if (!_options.TlsOptions.CheckCertificateRevocation) if (!_options.TlsOptions.CheckCertificateRevocation)
{ {
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain);
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing); _socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.RevocationInformationMissing);
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.Revoked);
}

if (_options.TlsOptions.IgnoreCertificateChainErrors)
{
_socket.Control.IgnorableServerCertificateErrors.Add(ChainValidationResult.IncompleteChain);
} }


await _socket.ConnectAsync(new HostName(_options.Server), _options.GetPort().ToString(), SocketProtectionLevel.Tls12); await _socket.ConnectAsync(new HostName(_options.Server), _options.GetPort().ToString(), SocketProtectionLevel.Tls12);


BIN
View File


+ 2
- 0
MQTTnet.Core/Client/MqttClientTlsOptions.cs View File

@@ -8,6 +8,8 @@ namespace MQTTnet.Core.Client


public bool CheckCertificateRevocation { get; set; } public bool CheckCertificateRevocation { get; set; }


public bool IgnoreCertificateChainErrors { get; set; }

public List<byte[]> Certificates { get; set; } public List<byte[]> Certificates { get; set; }
} }
} }

Loading…
Cancel
Save