Netduino home hardware projects downloads community

Jump to content


The Netduino forums have been replaced by new forums at community.wildernesslabs.co. This site has been preserved for archival purposes only and the ability to make new accounts or posts has been turned off.

pdii

Member Since 14 May 2012
Offline Last Active Sep 15 2015 05:13 AM
-----

Topics I've Started

SSL not working?

14 August 2015 - 09:39 PM

I just got my hands on a few N3Ws and was most interested in their support for SSL/TLS.  The #1 thing I want to do with these is send data to an Event Hub in Azure.

It is my understanding that:

  • To connect to https:// or amqps://<event_hub_namespace>-ns.servicebus.windows.net/<event_hub_name> my N3W will need to have the root CA cert for the *.servicebus.windows.net certificate available to validate each call to my event hub.
  • .NET MF doesnt include root CA certificates due to space constraints and therefore I must embed the root CA for any endpoint to which I want to establish a SSL connection with the project that is deployed to my N3W.  I followed the advice here to acquire the CA certificate for my event hub.
  • For SSL to work on .NET MF, my N3W needs
    • to have an accurate device time (which it can acquire via a NTP server)
    • the SSL seed needs to be generated using the MFDeploy tool (not exactly sure why or in which scenarios I need to regen again)
  • I cant use the portable http client because it doesnt support .NET MF, and instead must use either:
    1. HttpWebRequest and pass the embedded CA cert for the event hub endpoint in the HttpWebRequest.HttpsAuthentCerts property.
    2. wrap a NetworkStream generated from a TcpClient in a SslStream and implement the SslStreams certificateSelection and certificateValidation callbacks (potentially like this) the in order to make this connection.

Ive tried implementing the HttpWebRequest approach first.  I ran into issues similar to what was described in this post.

 

After facing these issues, I decided that I would try a different endpoint.  I issued a HTTPS GET request to https://www.google.com/.  This seemed to work.  However, it would work if I didnt present the root CA cert, if I did present the root CA cert and even if I presented the wrong root CA cert in the HttpWebRequest.HttpsAuthentCerts property.  I think this is the same issue that ppatierno raises on the .NET MF's github site.

 

Im concerned that cert validation isnt working.  The GET to https://www.google.com scenario makes me think that even if I go through the trouble of adding the root CA cert, I could still fall victim to a man in the middle attack.

 

Has anyone validated that they get some sort of exception when attempting to make an SSL connect to an endpoint that is presenting an invalid cert?

 

In order to get this level of verification, do I need to skip the HttpWebRequest approach and go down the TcpClient/NetworkStream/SslStream approach?

 

Where can I get more details on the purpose of SSL Seed generation?

 

Im new to .NET MF, so Im somewhat expecting that theres just something obviously wrong with my approach.  If not, and if it is helpful, Im willing to upload a small sample program that illustrates these issues.

 

Thanks in advance for any help you can provide!


home    hardware    projects    downloads    community    where to buy    contact Copyright © 2016 Wilderness Labs Inc.  |  Legal   |   CC BY-SA
This webpage is licensed under a Creative Commons Attribution-ShareAlike License.