I'm trying with no luck to connect a device to a .Net (4.5.2) server. It's a TCP connection opened by the device, that uses TLS 1.2.
SslStream
wrapped through DotNetty
Any .Net client can successfully connect to my server using a secured TLS connection. It's working when trying with CURL too, so I've concluded my TCP server works fine.
So I've compared (using Wireshark) what was sent by a working client from what was sent by the device that cannot connect. The significant difference I found is the absence (for the device) of the Server Name Extension (SNI) inside the Client Hello TLS message.
Next thing I tried is to manually send data to my server using Pcap.Net, i.e. to manually send TCP SYN/TCP ACK/Client Hello messages using raw byte arrays (raw data I got (thanks to Wireshark) from the device trying to connect to my server). I confirmed that tweaking the non-working Client Hello raw byte array by adding the Server Name extension causes my TLS handshake to work.
So obviously I got an issue with clients that don't include the SNI extension and a server that refuses the handshake if this information is not present.
How could I change the way my TCP server behave to accept client that don't provide the Server Name extension? Is it possible in the first place using the standard .Net SslStream
class?
AFAIK, the SNI extension is not mandatory, and it's up to the client to decide whether or not to use it, so the server should theoretically accept a Client Hello message without it.
Any pointer would be greatly appreciated.
TLS provides a secure layer on top of TCP/IP, thanks to its use of both public key and symmetric encryption, and is increasingly necessary to secure the private data flying across the Internet.
A TLS handshake is the process that kicks off a communication session that uses TLS. During a TLS handshake, the two communicating sides exchange messages to acknowledge each other, verify each other, establish the cryptographic algorithms they will use, and agree on session keys.
.Net 4.5.2 supports TLS1.2 but it is disabled by default.
For enabling it you have to explicitly define the security protocol set.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
for more information see the following link https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol%28v=vs.110%29.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With