Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebSocket custom SSL validation only works when using client certificates #5729

Open
esardaya opened this issue Jan 17, 2025 · 0 comments
Open

WebSocket custom SSL validation only works when using client certificates #5729

esardaya opened this issue Jan 17, 2025 · 0 comments
Assignees
@mconnew @imcarolwang
Labels
feature request Adding new functionality requiring adding an API to the public contract. triaged
Milestone
10.0

Comments

@esardaya
Copy link

Describe the bug
It's possible to disable (or provide custom) SSL validation by setting SslCertificateAuthentication like in this example:

serviceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
    CertificateValidationMode = X509CertificateValidationMode.None,
    RevocationMode = X509RevocationMode.NoCheck,
};

However, this only works when using client certificate authentication.
Looking at:

wcf/src/System.ServiceModel.Http/src/System/ServiceModel/Channels/ClientWebSocketTransportDuplexSessionChannel.cs

Line 155 in f789e63

if (_channelFactory is HttpsChannelFactory<IDuplexSessionChannel> httpsChannelFactory && httpsChannelFactory.RequireClientCertificate)

It seems like the WebSocket RemoteCertificateValidationCallback is only ever set if RequireClientCertificate is true, which will only be the case when using client certificates.

It should be possible to disable or customize server SSL certificate validation regardless of the auth type being used.

To Reproduce

  1. Create a binding where WebSockets are always enabled, without setting any client certificate auth.
var binding = new NetHttpBinding(BasicHttpSecurityMode.Transport)
{
    MaxReceivedMessageSize = int.MaxValue,  
    WebSocketSettings = { TransportUsage = WebSocketTransportUsage.Always },
};
  1. Disable SSL validation with:
serviceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceCertificate.Authentication.CustomCertificateValidator = new DisableCertificateValidation();
serviceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
    CertificateValidationMode = X509CertificateValidationMode.None,
    RevocationMode = X509RevocationMode.NoCheck
};
  1. Try to call a service that uses a self-signed SSL certificate, or one that doesn't match the domain.

Expected behavior
The call should succeed.

Actual behavior
Call fails with an error similar to this one:

Exception info dump:
System.ServiceModel.CommunicationException: Unable to connect to the remote server
 ---> System.Net.WebSockets.WebSocketException (0x80004005): Unable to connect to the remote server
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@HongGit HongGit added triaged feature request Adding new functionality requiring adding an API to the public contract. labels Jan 30, 2025
@HongGit HongGit added this to the 10.0 milestone Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mconnew mconnew

@imcarolwang imcarolwang

Labels
feature request Adding new functionality requiring adding an API to the public contract. triaged
Projects
None yet
Milestone
10.0
Development

No branches or pull requests
4 participants
@esardaya @mconnew @HongGit @imcarolwang