Custom validation callback for server certificates in SslStream does not work

[omghb]

Android application type

Android for .NET (net6.0-android, etc.)

Affected platform version

VS 2022 17.4.3 with MAUI

Description

Using SslStream with a userCertificateValidationCallback does not work on Android.

But it works on

• iOS
• Windows.

The same issue was already resolved for HTTP handlers. See PR: Use custom validation callback for server certificates in HTTP handlers #6665

Steps to Reproduce

Just use this ctor with a userCertificateValidationCallback that allows a self-signed certificate to pass.

SslStream(Stream, Boolean, RemoteCertificateValidationCallback)

Did you find any workaround?

Workaround: https://stackoverflow.com/a/71196389

Relevant log output

Android exception that is thrown when a self-signed certificate should be accepted by the SslStream:

[System.err] javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
[System.err] 	at com.android.org.conscrypt.Java8EngineWrapper.unwrap(Java8EngineWrapper.java:237)
[System.err] Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:656)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:425)
[System.err] 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:368)
[System.err] 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:102)
[System.err] 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:106)
[System.err] 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
[System.err] 	at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
[System.err] 	at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataHeap(ConscryptEngine.java:1115)
[System.err] 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1087)

[simonrozsival]

I'm already working on a solution to this problem: dotnet/runtime#77386. If everything goes well, it should be part of .NET 8.

[simonrozsival]

@omghb RemoteCertificateValidationCallback is now used in SslStream in .NET 8. You can try it if you install the preview release of .NET 8.

@jpobst I believe you can close this issue.

[omghb]

@simonrozsival Thanks a lot - it's working now with .NET 8 (MAUI 8).

[jpobst]

Should be fixed in .NET 8+.