TLS establishment disconnection

Question

TLS establishment disconnection

NeptuneTheMystic opened this issue a year ago · 1 comments

Hello,

Thank you for your work on this library! It really reduces the drudgery involved with client/server com.

Having a bit of an issue however with a client's TLS connection to a server. The client does not have a certificate, but the server does. MutuallyAuthenticate is set to false on both ends, and AcceptInvalidCertificates is set to false on both ends. Also, _server.SslConfiguration.ClientCertificateRequired is set to false.

When the client calls Connect(), the server indicates it has accepted the connection, however when the client attempts to send anything, the server indicates "disconnected during SSL/TLS establishment with [client ID] (Tls12): The handshake failed due to an unexpected packet format."

Any idea what I might be doing wrong here?

Cheers!

Answer 1 · 2023-09-25T20:00:29.000Z

Finally made a connection, although I'd like to report what I found here just in case it's not a recommended practice.

I had to set AcceptInvalidCertificates to true on both sides. I wouldn't think I'd need to do that on the client side, because I don't want to accept invalid certificates from the server. But if it was set to false on the client side, the connection would throw an exception ("The remote certificate is invalid according to the validation procedure."). After setting it to true, I could see that WatsonTCP was calling my X509 certification validation method, with the SslPolicyErrors parameter set to RemoteCertificateNameMismatch.

I don't know why that error is appearing, but I can see the cert's Subject attribute is set to "CN = mysite.com". So in my validation method, I check to see if the SslPolicyErrors parameter is set to RemoteCertificateNameMismatch, and if it is, I check the cert's subject to see if it contains the name of the host I'm attempting to connect to, and if it does, I return true (indicating it's a valid certificate). Is this an OK thing to do? If not, might someone have an idea why I would be getting that policy error? It's a valid certificate and has not expired.