SSL question

[Memphizzz]

Hi there,

first of all, thank you very much for WatsonTcp and the time and effort you must have put into this great library!

I've just turned on SSL using a pfx file (with no password) which I copied to both machines. Just to see what would happen if the client had the incorrect certificate, I created another one and let the client connect using that. To my surprise there was no error and the client and server communicated just fine. Is this intended?

I've used this to create the certificates:
https://github.com/Azure/azure-xplat-cli/wiki/Getting-Self-Signed-SSL-Certificates-(.pem-and-.pfx)

Btw, the example on the front page shows "new WatsonTcpSslServer" but that class doesn't exist, instead the WatsonTcpServer takes the SSL related parameters.

[jchristn]

Hi @Memphizzz thank you for your kind words.

If the server and client both have Settings.AcceptInvalidCertificates set to true, and, Settings.MutuallyAuthenticate set to false (both of these are default values), then self-signed certificates should work just fine.

If you wish to enforce that the certificates can be validated, set Settings.AcceptInvalidCertificates to false.

If you want to make sure the client and server use the certificates to authenticate with one another, set Settings.MutuallyAuthenticate to true.

The primary reason for these default values is to make it easy to get moving with SSL.

Thanks for the note on the README - I'll take care of that right now!

Cheers, Joel

[Memphizzz]

Hi @jchristn,

thanks for your quick reply!
I basically want to use the certificates instead of a password authentication, so I would like the Connect() to fail if they don't have the same certificate using the certificates mentioned above if possible. How would I have to set AcceptInvalidCertificates and MutuallyAuthenticate in this case?

Oh and I think that it should be "Connect()" instead of "Start()" for the WatsonTcpClient in the example ;)

[jchristn]

Hi @Memphizzz in your case you'd want to install the certificate into the certificate store on each machine (on Windows, start > run > certmgr.msc) to import the PFX file into the 'Personal' store (you can either do this under 'current user' or 'local machine' - use 'local machine' unless you do this under the same context as the user under which WatsonTcp will be running).

Once the certificate is loaded on both client and server:

• If it's a self-signed certificate, keep Settings.AcceptInvalidCertificates as true. If it's a cert from a CA your machines trust, set it to false
• Then set Settings.MutuallyAuthenticate to true

I'll amend the README again - thanks for pointing it out! Please let me know if this works.

[Memphizzz]

Hi @jchristn thanks for getting back to me this quickly again.

The server is a ubuntu server running the exe under mono and the client is a windows desktop application, you wouldn't happen to know how to put that pfx into ubuntu's store?

[jchristn]

I unfortunately don't have experience doing this in Ubuntu, but I did find this: https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line

Out of curiosity, any reason you are using Mono instead of .NET Core or .NET 5?

[Memphizzz]

I see, I will try that, thanks!

It's an old project and I haven't bothered converting it to .NET Core yet since it has a lot of dependencies which I would have to check if they are .NET Core compatible as well.

[jchristn]

Sweet! If you happen to take notes and get it working, I'd love to use them as the basis for a wiki article. (If you have time of course!)

[Memphizzz]

Of course, I will report back as soon as I got it working ;)

[jchristn]

Moved to Discussion

[Tithras]

Good afternoon, would you be able to confirm how you point the watsontcp to an installed certificate in the certificate store? The examples I found point to using a test.pfx which if I have a cert in a store I dont have? Thanks :)

[jchristn]

That's an implementation detail that the library isn't designed to handle :) I'd recommend retrieving it from a secure vault at runtime or taking it as input outside of the library.

[Tithras]

Quick response, thanks. ill take a look at what you posted :)

[teSill]

@Tithras did you come up with anything clever for this?

[Tithras]

I ended up using the microsoft ssl example as a starting point and then writing my own stuff around it.

The code I use is:

public static X509Certificate2 AuthenticationCertificate
{
 get
 {
  if (_AuthenticationCertificate == null)
  { 
   X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
   store.Open(OpenFlags.ReadOnly);
   X509Certificate2 foundCertificate = null;
   foreach (X509Certificate2 currentCertificate in store.Certificates)
   {
    if (currentCertificate.SubjectName.Name != null && currentCertificate.SubjectName.Name.Equals("CN=MySslSocketCertificate"))
    {
     foundCertificate = currentCertificate;
     break;
    }
   }
   _AuthenticationCertificate = foundCertificate;
  }
  return _AuthenticationCertificate;
 }
}

The above is a slightly tweaked version of the microsoft example which uses a file:
https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=net-6.0

The above is called via the following:

ssl = new SslStream(netStream, false);
ssl.AuthenticateAsServer(AuthenticationCertificate, false, SslProtocols.Tls12, true);

[Tithras]

I should add that I dont use watson anymore and ended up writing my own modules to do what I wanted :)