This project is read-only.
2
Vote

SSL : bundle CA certificates or big security issue ?

description

Hello,

before explaining my scenario ... the direct question :

is there a bundle of certification autorithy (CA) certificates in net mf ?
Why this question ? Read following ...

I'm working on a project with AMQP protocol (instead of HTTP REST APIs) and Microsoft Azure Service Bus (queues, topics and event hubs) using the AMQP.Net Lite library (http://amqpnetlite.codeplex.com).
The Service Bus needs an SSL/TLS based connection for sending and receiving messages but I see that this connection is established in a very simple way ... and it seems without any check !
The library uses the following code to execute authentication ...
sslSocket.AuthenticateAsClient(
                     address.Host,
                     null,
                     noVerification ? SslVerification.NoVerification : SslVerification.VerifyPeer,
                     SslProtocols.Default);
The parameters are ...
  • the host name of service bus namespace (ex. "myservice.servicebus.windows.net")
  • null is the client certificate (in this way we don't want client authentication)
  • noVerification is false at runtime, so the parameter is VerifyPeer
  • usage of default SSL protocol
Now ... during the SSL handshake, the server sends its certificate (inside a chain with two other CA certificate) and the client needs to verify it. To do that, the client needs a CA certificate so that with its public key it can verify the signature of the server certificate just received.

The AuthenticateAsClient method used in the library doesn't have a collection of X509 certificates as CA certificates (there is another overload with this parameter but not the version used in the library).

So, why the authentication works fine !??

I think that there are two possibilities :
  • the method doesn't execute any check ... and it could be a very big problem ! Thanks to SSL I encrypt my data but without server authentication I don't know if I'm talking with the right server I trust !
  • the netmf has a CA certificates bundle onboard (like our PCs)
Another strange behavior is that after established TCP connection with the right hostname, if I change at runtime the hostname parameter for AuthenticateAsClient (ex. from "myservice.servicebus.windows.net" to "helloworld") ... the verification works !!! There isn't any check on the hostname in the server certificate !

It seems to be a big security issue ... or I'm wrong because I can't see in the right direction ?

Using my M2Mqtt library, I have always used the AuthenticateAsClient overload that takes CA certificate to be sure to verify the server certificate (MQTT broker).

I already posted this question on GHI forum (https://www.ghielectronics.com/community/forum/topic?id=17816) because I had the doubt that GHI injected CA certificates in their custom firmwares. GHI people replied me that they don't change original SSL stack and they don't inject any CA certificates in the custom firmware.

Thanks,
Paolo

comments

pdii wrote Aug 1, 2015 at 11:33 PM

I'm also interested to know how this is working. I'm using a netduino 3 wifi and want to connect to an azure event hub via either https or ampqs. I want to know that the netduino is verifying the server to which it is sending data. Are root CA certs loading on .NET MF? Can I upload root certs to the netduino for the endpoint(s) I want to communicate with?

ppatierno wrote Aug 2, 2015 at 3:11 PM

The discussion in moved here :

https://github.com/NETMF/netmf-interpreter/issues/251

on GitHub that is the new Net MF project home.

Regarding new CA certs you can import them as binary resources in your .Net Micro Framework application and then use the AuthenticateAsClient method overload of SslStream that receives CA certs.

Paolo