I just got my hands on a few N3Ws and was most interested in their support for SSL/TLS. The #1 thing I want to do with these is send data to an Event Hub in Azure.
It is my understanding that:
- To connect to https:// or amqps://<event_hub_namespace>-ns.servicebus.windows.net/<event_hub_name> my N3W will need to have the root CA cert for the *.servicebus.windows.net certificate available to validate each call to my event hub.
- .NET MF doesn’t include root CA certificates due to space constraints and therefore I must embed the root CA for any endpoint to which I want to establish a SSL connection with the project that is deployed to my N3W. I followed the advice here to acquire the CA certificate for my event hub.
- For SSL to work on .NET MF, my N3W needs
- to have an accurate device time (which it can acquire via a NTP server)
- the “SSL seed” needs to be generated using the MFDeploy tool (not exactly sure why or in which scenarios I need to regen again)
- I can’t use the portable http client because it doesn’t support .NET MF, and instead must use either:
- HttpWebRequest and pass the embedded CA cert for the event hub endpoint in the HttpWebRequest.HttpsAuthentCerts property.
- wrap a NetworkStream generated from a TcpClient in a SslStream and implement the SslStream’s certificateSelection and certificateValidation callbacks (potentially like this) the in order to make this connection.
I’ve tried implementing the HttpWebRequest approach first. I ran into issues similar to what was described in this post.
After facing these issues, I decided that I would try a different endpoint. I issued a HTTPS GET request to https://www.google.com/. This seemed to work. However, it would work if I didn’t present the root CA cert, if I did present the root CA cert and even if I presented the wrong root CA cert in the HttpWebRequest.HttpsAuthentCerts property. I think this is the same issue that ppatierno raises on the .NET MF's github site.
I’m concerned that cert validation isn’t working. The GET to https://www.google.com scenario makes me think that even if I go through the trouble of adding the root CA cert, I could still fall victim to a man in the middle attack.
Has anyone validated that they get some sort of exception when attempting to make an SSL connect to an endpoint that is presenting an invalid cert?
In order to get this level of verification, do I need to skip the HttpWebRequest approach and go down the TcpClient/NetworkStream/SslStream approach?
Where can I get more details on the purpose of SSL Seed generation?
I’m new to .NET MF, so I’m somewhat expecting that there’s just something obviously wrong with my approach. If not, and if it is helpful, I’m willing to upload a small sample program that illustrates these issues.
Thanks in advance for any help you can provide!
