Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS establishment disconnection #271

Open
NeptuneTheMystic opened this issue Sep 25, 2023 · 1 comment
Open

TLS establishment disconnection #271

NeptuneTheMystic opened this issue Sep 25, 2023 · 1 comment

Comments

@NeptuneTheMystic
Copy link

Hello,

Thank you for your work on this library! It really reduces the drudgery involved with client/server com.

Having a bit of an issue however with a client's TLS connection to a server. The client does not have a certificate, but the server does. MutuallyAuthenticate is set to false on both ends, and AcceptInvalidCertificates is set to false on both ends. Also, _server.SslConfiguration.ClientCertificateRequired is set to false.

When the client calls Connect(), the server indicates it has accepted the connection, however when the client attempts to send anything, the server indicates "disconnected during SSL/TLS establishment with [client ID] (Tls12): The handshake failed due to an unexpected packet format."

Any idea what I might be doing wrong here?

Cheers!

@NeptuneTheMystic
Copy link
Author

Finally made a connection, although I'd like to report what I found here just in case it's not a recommended practice.

I had to set AcceptInvalidCertificates to true on both sides. I wouldn't think I'd need to do that on the client side, because I don't want to accept invalid certificates from the server. But if it was set to false on the client side, the connection would throw an exception ("The remote certificate is invalid according to the validation procedure."). After setting it to true, I could see that WatsonTCP was calling my X509 certification validation method, with the SslPolicyErrors parameter set to RemoteCertificateNameMismatch.

I don't know why that error is appearing, but I can see the cert's Subject attribute is set to "CN = mysite.com". So in my validation method, I check to see if the SslPolicyErrors parameter is set to RemoteCertificateNameMismatch, and if it is, I check the cert's subject to see if it contains the name of the host I'm attempting to connect to, and if it does, I return true (indicating it's a valid certificate). Is this an OK thing to do? If not, might someone have an idea why I would be getting that policy error? It's a valid certificate and has not expired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant