Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom validation callback for server certificates in SslStream does not work #7641

Closed
omghb opened this issue Dec 15, 2022 · 4 comments · Fixed by dotnet/runtime#77386
Closed

Custom validation callback for server certificates in SslStream does not work #7641

omghb opened this issue Dec 15, 2022 · 4 comments · Fixed by dotnet/runtime#77386
Labels
Area: HTTP Issues with sockets / HttpClient.

Comments

@omghb
Copy link

omghb commented Dec 15, 2022
edited
Loading

Android application type

Android for .NET (net6.0-android, etc.)

Affected platform version

VS 2022 17.4.3 with MAUI

Description

Using SslStream with a userCertificateValidationCallback does not work on Android.

But it works on

  • iOS
  • Windows.

The same issue was already resolved for HTTP handlers. See PR: Use custom validation callback for server certificates in HTTP handlers #6665

Steps to Reproduce

Just use this ctor with a userCertificateValidationCallback that allows a self-signed certificate to pass.

SslStream(Stream, Boolean, RemoteCertificateValidationCallback)

Did you find any workaround?

Workaround: https://stackoverflow.com/a/71196389

Relevant log output

Android exception that is thrown when a self-signed certificate should be accepted by the SslStream:

[System.err] javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
[System.err] 	at com.android.org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:237)
[System.err] Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:656)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:368)
[System.err] 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:102)
[System.err] 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:106)
[System.err] 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
[System.err] 	at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
[System.err] 	at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataHeap(ConscryptEngine.java:1115)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1087)
@omghb omghb added Area: Mono.Android Issues with the Android API binding (Mono.Android.dll). needs-triage Issues that need to be assigned. labels Dec 15, 2022
@jpobst jpobst added Area: HTTP Issues with sockets / HttpClient. and removed Area: Mono.Android Issues with the Android API binding (Mono.Android.dll). needs-triage Issues that need to be assigned. labels Dec 15, 2022
@jpobst jpobst assigned simonrozsival and unassigned jpobst Dec 15, 2022
@simonrozsival
Copy link
Member

I'm already working on a solution to this problem: dotnet/runtime#77386. If everything goes well, it should be part of .NET 8.

@simonrozsival simonrozsival mentioned this issue Dec 16, 2022
Merged
@simonrozsival
Copy link
Member

@omghb RemoteCertificateValidationCallback is now used in SslStream in .NET 8. You can try it if you install the preview release of .NET 8.

@jpobst I believe you can close this issue.

@simonrozsival simonrozsival removed their assignment Dec 11, 2023
@omghb
Copy link
Author

omghb commented Dec 22, 2023

@simonrozsival Thanks a lot - it's working now with .NET 8 (MAUI 8).

@jpobst
Copy link
Contributor

jpobst commented May 17, 2024

Should be fixed in .NET 8+.

@jpobst jpobst closed this as completed May 17, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jun 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Area: HTTP Issues with sockets / HttpClient.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Android] Improvements to remote certificate verification in SslStream simonrozsival/runtime
3 participants
@jpobst @simonrozsival @omghb