From 3d6dbc5aa52a068d36af6641b4d02dd732470adf Mon Sep 17 00:00:00 2001 From: Arek Date: Fri, 21 May 2021 11:11:29 +0200 Subject: [PATCH] fix: EnabledSslProtocols now is set always when wss scheme is used --- arstomp/src/StompClient.cs | 47 ++++++++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/arstomp/src/StompClient.cs b/arstomp/src/StompClient.cs index 60e4a52..c12f9fe 100644 --- a/arstomp/src/StompClient.cs +++ b/arstomp/src/StompClient.cs @@ -66,25 +66,55 @@ namespace ArStomp /// true if server certificate is valid, false otherwise private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { - if (Debug) Console.WriteLine("Custom RemoteCertificateValidationCallback"); + if (Debug) + { + System.Console.WriteLine("Subject: {0}", certificate.Subject.ToString()); + System.Console.WriteLine("Cert: {0}", certificate.ToString()); + } // if there is no detected problems we can say OK - if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) return true; + if ((sslPolicyErrors & (SslPolicyErrors.None)) > 0) + { + if (Debug) System.Console.WriteLine("Cert OK: ((sslPolicyErrors & (SslPolicyErrors.None)) > 0)"); + return true; + } // sins that cannot be forgiven if ( (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 || (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0 - ) return false; + ) + { + if (Debug) System.Console.WriteLine("Cert Fail: (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0 - {0}", (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNameMismatch)) > 0); + if (Debug) System.Console.WriteLine("Cert Fail: (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0 - {0}", (sslPolicyErrors & (SslPolicyErrors.RemoteCertificateNotAvailable)) > 0); + return false; + } + if (Debug) + { + System.Console.WriteLine("Chain:"); + foreach (var ce in chain.ChainElements) + { + System.Console.WriteLine("Element: {0}", ce.Certificate); + } + } // last certificate in chain should be one of our trust anchors X509Certificate2 projectedRootCert = chain.ChainElements[chain.ChainElements.Count - 1].Certificate; // check if server's root ca is one of our trusted bool anytrusted = false; foreach (var cert in certCollection) { + if (Debug) System.Console.WriteLine("Anytrust: {0}, {1} =? {2}", projectedRootCert.Thumbprint.ToString(),cert.Thumbprint.ToString(), (projectedRootCert.Thumbprint == cert.Thumbprint)); anytrusted = anytrusted || (projectedRootCert.Thumbprint == cert.Thumbprint); } - if (!anytrusted) return false; + if (!anytrusted) + { + if (Debug) System.Console.WriteLine("Cert Fail: (!anytrusted)"); + return false; + } // any other problems than unknown CA? - if (chain.ChainStatus.Any(statusFlags => statusFlags.Status != X509ChainStatusFlags.UntrustedRoot)) return false; + if (chain.ChainStatus.Any(statusFlags => statusFlags.Status != X509ChainStatusFlags.UntrustedRoot)) + { + if (Debug) System.Console.WriteLine("Cert Fail: chain.ChainStatus.Any(statusFlags => statusFlags.Status != X509ChainStatusFlags.UntrustedRoot)"); + return false; + } // everything OK if (Debug) Console.WriteLine("Certificate OK"); return true; @@ -116,9 +146,12 @@ namespace ArStomp { if (ws != null) throw new Exception("Cannot connect in this state. Should close before"); ws = new WebSocket( uri.ToString(), "v12.stomp"); - if (uri.Scheme == "wss" && certCollection != null) + if (uri.Scheme == "wss") { - ws.SslConfiguration.ServerCertificateValidationCallback = RemoteCertificateValidationCallback; + if (certCollection != null) + { + ws.SslConfiguration.ServerCertificateValidationCallback = RemoteCertificateValidationCallback; + } ws.SslConfiguration.EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls12; } var ct = Token.Token;