Not logged in. · Lost password · Register
Forum: agsXMPP RSS
Avatar
Ladislav #1
Member since Nov 2011 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Server certificate validation - strange error occurs
Hello,

I've just started with the agsXMPP library and so far, i find it very good and easy to use.

The problem arised, when I tried to validate the certificate of the server I connect to. I found out in the documentation and this forum, that XmppClientConnection.ClientSocket.OnValidateCertificate is to be used for this purpose. So I've written this handler:

static bool ClientSocket_OnValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    X509Certificate2 cert2 = certificate as X509Certificate2;
    if (cert2 != null)
    {
        bool valid = cert2.Verify();
        return valid;
    }
    else
        return false;
}

The server I connect to has a self-signed certificate, so it is not treated as valid by the Verify() method of the X509Certificate2 (I would like to add an option to administratively allow an invalid certificate identified by its hash, but that is not important). The things go wrong when this handler returns false. I would expect, that the connection object fires OnError event notifying me of a security problem and terminates the connection. The OnError handler is actually called, but the exception is strange:

agsXMPP.Xml.xpnet.InvalidTokenException.
   at agsXMPP.Xml.xpnet.Encoding.tokenizeContent(Byte[] buf, Int32 off, Int32 end, ContentToken token)
   at agsXMPP.Xml.StreamParser.Push(Byte[] buf, Int32 offset, Int32 length)

Obviously the parser is trying to parse some non-text binary data.

I analyzed the connection using Wireshark: The client starts a <stream>, sends <starttls>, the server replies with <proceed>, then sends its certificate (the communication should be encrypted from this point on). My validation handler gets called now, but if I return false, the client sends </stream>, server replies with some binary stuff, the cliens sends a new <stream> header and then disconnects (FIN).

Is the library able to handle the invalid certificate condition at all? Actually, while searching a solution on the Web I didn't encounter a single implementation of a XMPP client using agsXMPP that would validate the certificate (including the examples in the SDK). They either don't have the handler at all, or it is just return true;.

Full source code of my test app: http://pastebin.com/jaCMYXNk

Thanks, L.
Avatar
Alex #2
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
I have committed a patch to SVN. This should raise the OnClose now. Please let me know if this helps.

Alex
Avatar
Ladislav #3
Member since Nov 2011 · 2 posts
Group memberships: Members
Show profile · Link to this post
Now it seems to be fine, thanks for your effort.

L.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: agsXMPP RSS