Use IgnoreEndRevocationUnknown (#71)

* Use IgnoreEndRevocationUnknown * add traces and new tls flag * rm extra flag
Azure-Samples · Oct 31, 2023 · 4e785ae · 4e785ae
1 parent a5ce9d4
commit 4e785ae
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/mqttclients/dotnet/MQTTnet.Client.Extensions/X509ChainValidator.cs b/mqttclients/dotnet/MQTTnet.Client.Extensions/X509ChainValidator.cs
@@ -6,7 +6,6 @@ namespace MQTTnet.Client.Extensions
 {
     internal static class X509ChainValidator
     {
-
         internal static bool ValidateChain(MqttClientCertificateValidationEventArgs certValArgs, string caCertFile = "")
         {
             X509Certificate2Collection caCerts = new();
@@ -27,23 +26,25 @@ internal static bool ValidateChain(MqttClientCertificateValidationEventArgs cvAr
             if (cvArgs.SslPolicyErrors == SslPolicyErrors.RemoteCertificateChainErrors)
             {
                 bool chainValidated = false;
-
-                cvArgs.Chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
-                cvArgs.Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
-                cvArgs.Chain.ChainPolicy.VerificationTime = DateTime.UtcNow;
+                cvArgs.Chain.Reset();
                 cvArgs.Chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+
                 cvArgs.Chain.ChainPolicy.CustomTrustStore.AddRange(caChain);
+                Trace.TraceWarning("Validating TLS with chain:\n\t" + string.Join("\n\t",cvArgs.Chain.ChainPolicy.CustomTrustStore.Select(c => c.Subject)));
 
-                X509Certificate cert = cvArgs.Certificate;
-                X509Certificate2 x5092 = new(cert);
-                chainValidated = cvArgs.Chain.Build(x5092);
+                cvArgs.Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
+                Trace.TraceWarning($"Chain validation configured with verification flags:\n\t{cvArgs.Chain.ChainPolicy.VerificationFlags}");
+
+                chainValidated = cvArgs.Chain.Build(new X509Certificate2(cvArgs.Certificate));
                 if (chainValidated == false)
                 {
-                    Trace.TraceError($"Error validating TLS chain for cert: '{cert.Subject}' issued by '{cert.Issuer}'");
-                    cvArgs.Chain.ChainStatus.ToList().ForEach(s => Trace.TraceError(s.StatusInformation));
+                    Trace.TraceError($"Error validating TLS chain for cert: '{cvArgs.Certificate.Subject}' issued by '{cvArgs.Certificate.Issuer}'");
+                    cvArgs.Chain.ChainStatus.ToList().ForEach(s => Trace.TraceError("  " + s.StatusInformation));
                 }
                 return chainValidated;
+
             }
+            Trace.TraceError("RemoteCertificateValidation Errors: " + cvArgs.SslPolicyErrors);
             return false;
         }
     }