Subject: Server certificate validation - strange error occurs
Hello,
I've just started with the agsXMPP library and so far, i find it very good and easy to use.
The problem arised, when I tried to validate the certificate of the server I connect to. I found out in the documentation and this forum, that XmppClientConnection.ClientSocket.OnValidateCertificate is to be used for this purpose. So I've written this handler:
The server I connect to has a self-signed certificate, so it is not treated as valid by the Verify() method of the X509Certificate2 (I would like to add an option to administratively allow an invalid certificate identified by its hash, but that is not important). The things go wrong when this handler returns false. I would expect, that the connection object fires OnError event notifying me of a security problem and terminates the connection. The OnError handler is actually called, but the exception is strange:
agsXMPP.Xml.xpnet.InvalidTokenException.
at agsXMPP.Xml.xpnet.Encoding.tokenizeContent(Byte[] buf, Int32 off, Int32 end, ContentToken token)
at agsXMPP.Xml.StreamParser.Push(Byte[] buf, Int32 offset, Int32 length)
Obviously the parser is trying to parse some non-text binary data.
I analyzed the connection using Wireshark: The client starts a <stream>, sends <starttls>, the server replies with <proceed>, then sends its certificate (the communication should be encrypted from this point on). My validation handler gets called now, but if I return false, the client sends </stream>, server replies with some binary stuff, the cliens sends a new <stream> header and then disconnects (FIN).
Is the library able to handle the invalid certificate condition at all? Actually, while searching a solution on the Web I didn't encounter a single implementation of a XMPP client using agsXMPP that would validate the certificate (including the examples in the SDK). They either don't have the handler at all, or it is just return true;.
Full source code of my test app: http://pastebin.com/jaCMYXNk
Thanks, L.
I've just started with the agsXMPP library and so far, i find it very good and easy to use.
The problem arised, when I tried to validate the certificate of the server I connect to. I found out in the documentation and this forum, that XmppClientConnection.ClientSocket.OnValidateCertificate is to be used for this purpose. So I've written this handler:
static bool ClientSocket_OnValidateCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
X509Certificate2 cert2 = certificate as X509Certificate2;
if (cert2 != null)
{
bool valid = cert2.Verify();
return valid;
}
else
return false;
}
{
X509Certificate2 cert2 = certificate as X509Certificate2;
if (cert2 != null)
{
bool valid = cert2.Verify();
return valid;
}
else
return false;
}
The server I connect to has a self-signed certificate, so it is not treated as valid by the Verify() method of the X509Certificate2 (I would like to add an option to administratively allow an invalid certificate identified by its hash, but that is not important). The things go wrong when this handler returns false. I would expect, that the connection object fires OnError event notifying me of a security problem and terminates the connection. The OnError handler is actually called, but the exception is strange:
agsXMPP.Xml.xpnet.InvalidTokenException.
at agsXMPP.Xml.xpnet.Encoding.tokenizeContent(Byte[] buf, Int32 off, Int32 end, ContentToken token)
at agsXMPP.Xml.StreamParser.Push(Byte[] buf, Int32 offset, Int32 length)
Obviously the parser is trying to parse some non-text binary data.
I analyzed the connection using Wireshark: The client starts a <stream>, sends <starttls>, the server replies with <proceed>, then sends its certificate (the communication should be encrypted from this point on). My validation handler gets called now, but if I return false, the client sends </stream>, server replies with some binary stuff, the cliens sends a new <stream> header and then disconnects (FIN).
Is the library able to handle the invalid certificate condition at all? Actually, while searching a solution on the Web I didn't encounter a single implementation of a XMPP client using agsXMPP that would validate the certificate (including the examples in the SDK). They either don't have the handler at all, or it is just return true;.
Full source code of my test app: http://pastebin.com/jaCMYXNk
Thanks, L.