koobas.hobune.stream
SSL over socket Remote Certificate Not Available
I'm trying to setup a socket using SSL on .net, all works great except that we have to skip the validation of the certificate... I'm suspecting mono does not ship with any root certificates and unity is probably not using the platforms certificates
http://www.mono-project.com/UsingTrustedRootsRespectfully
Has anyone found a means to validate the certificates without simply accepting the certificate failure to prevent a man in the middle style attack. The mono guides I've looked at indicate installing certificates but given I am targetting for iOS and Android I'm not sure how / if this is possible at the mono level and if it would require going down to make an ios / android call to validate the cert? I would have hoped that the unity platform would delegate to the appropriate platform keystore for cert validation?
here's how we skip the validation callback:
var secureStream = new SslStream(
tcpclient.GetStream(),
false,
ValidateServerCertificate,
null
);
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors != SslPolicyErrors.None)
{
Logger.WarnCh("comms", "Warn cert errors");
}
return true;
}
I need the same answer! Do you think the WWW class also accept the certificate failure on desktop stand alone clients?
Not sure to be honest, I think the standard WWW unity API for https style stuff should be ok - my understanding is that this some sort of delegate down to the OS rather than relying on mono socket security frameworks.
I could be wrong and the WWW implementation maybe completely open to man in the middle, and reading some of the security related discussions on this forum it wouldn't surprise me if it was vulnerable.
O$$anonymous$$G this would be really bad...should I switch to uniweb?
