before explaining my scenario ... the direct question :
is there a bundle of certification autorithy (CA) certificates in net mf ?
Why this question ? Read following ...
I'm working on a project with AMQP protocol (instead of HTTP REST APIs) and Microsoft Azure Service Bus (queues, topics and event hubs) using the AMQP.Net Lite library (http://amqpnetlite.codeplex.com
The Service Bus needs an SSL/TLS based connection for sending and receiving messages but I see that this connection is established in a very simple way ... and it seems without any check !
The library uses the following code to execute authentication ...
noVerification ? SslVerification.NoVerification : SslVerification.VerifyPeer,
The parameters are ...
- the host name of service bus namespace (ex. "myservice.servicebus.windows.net")
- null is the client certificate (in this way we don't want client authentication)
- noVerification is false at runtime, so the parameter is VerifyPeer
- usage of default SSL protocol
Now ... during the SSL handshake, the server sends its certificate (inside a chain with two other CA certificate) and the client needs to verify it. To do that, the client needs a CA certificate so that with its public key it can verify the signature of the
server certificate just received.
The AuthenticateAsClient method used in the library doesn't have a collection of X509 certificates as CA certificates (there is another overload with this parameter but not the version used in the library).
So, why the authentication works fine !??
I think that there are two possibilities :
- the method doesn't execute any check ... and it could be a very big problem ! Thanks to SSL I encrypt my data but without server authentication I don't know if I'm talking with the right server I trust !
- the netmf has a CA certificates bundle onboard (like our PCs)
Another strange behavior is that after established TCP connection with the right hostname, if I change at runtime the hostname parameter for AuthenticateAsClient (ex. from "myservice.servicebus.windows.net" to "helloworld") ... the verification
works !!! There isn't any check on the hostname in the server certificate !
It seems to be a big security issue ... or I'm wrong because I can't see in the right direction ?
Using my M2Mqtt library, I have always used the AuthenticateAsClient overload that takes CA certificate to be sure to verify the server certificate (MQTT broker).
I already posted this question on GHI forum (https://www.ghielectronics.com/community/forum/topic?id=17816
) because I had the doubt that GHI injected CA certificates
in their custom firmwares. GHI people replied me that they don't change original SSL stack and they don't inject any CA certificates in the custom firmware.