From 039e83d4e9f5a75d2b79caa9a177ec75b39678af Mon Sep 17 00:00:00 2001 From: Michael Clayson Date: Thu, 10 Apr 2025 11:11:22 +0100 Subject: [PATCH 1/3] feat: add Bypass Certificate Check Flag --- .../NHS.Mesh.Client/Clients/MeshConnectClient.cs | 8 +++++++- .../Configuration/MeshConnectConfiguration.cs | 2 ++ .../Contracts/Configurations/IMeshConnectConfiguration.cs | 2 ++ .../NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs | 3 ++- 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs index 0dba174..efc08e5 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs @@ -82,7 +82,13 @@ private async Task SendHttpRequest(HttpRequestMessage httpR handler.SslProtocols = SslProtocols.Tls12; handler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, chain, sslPolicyErrors) => { - if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None) + + if(_meshConnectConfiguration.BypassServerCertificateValidation) + { + _logger.LogWarning("Bypassing Server Certificate Validation"); + return true; + } + else if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None) { return true; // Everything is fine } diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Configuration/MeshConnectConfiguration.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Configuration/MeshConnectConfiguration.cs index d16f8c4..aca4e2e 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Configuration/MeshConnectConfiguration.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Configuration/MeshConnectConfiguration.cs @@ -54,4 +54,6 @@ public class MeshConnectConfiguration : IMeshConnectConfiguration public bool ProxyUseDefaultCredentials { get; set; } /// Gets the chunk size in bytes for sending chunked messages 19Mb limit outside of HSCN 100Mb limit within public int ChunkSize { get; set; } + /// Flag if the Servers Certificate is Checked against the CA Chain + public bool BypassServerCertificateValidation { get; set; } } diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Contracts/Configurations/IMeshConnectConfiguration.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Contracts/Configurations/IMeshConnectConfiguration.cs index ec66929..175c6d0 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Contracts/Configurations/IMeshConnectConfiguration.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Contracts/Configurations/IMeshConnectConfiguration.cs @@ -53,4 +53,6 @@ public interface IMeshConnectConfiguration bool ProxyUseDefaultCredentials { get; set; } /// Gets the chunk size in bytes for sending chunked messages 19Mb limit outside of HSCN 100Mb limit within int ChunkSize { get; set; } + /// Flag if the Servers Certificate is Checked against the CA Chain + public bool BypassServerCertificateValidation { get; set; } } diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs index 929bfcd..bc69f3d 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Extensions/MeshMailboxBuilder.cs @@ -28,7 +28,8 @@ public MeshMailboxBuilder(IServiceCollection services,Action Date: Thu, 10 Apr 2025 11:39:43 +0100 Subject: [PATCH 2/3] CA Cert was not actually being checked --- .../Clients/MeshConnectClient.cs | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs index efc08e5..91517ff 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs @@ -100,12 +100,26 @@ private async Task SendHttpRequest(HttpRequestMessage httpR { chain.ChainPolicy.CustomTrustStore.Add(caCert); } - if (cert != null) + if (cert == null) { - // Rebuild the chain with added certs - return chain.Build(cert); + return false; } - return false; + // Rebuild the chain with added certs + if (!chain.Build(cert)) + { + return false; + } + + bool isValidCA = mailboxConfiguration.serverSideCertCollection + .Any(caCert => caCert.Thumbprint == cert.Issuer); + if (!isValidCA) + { + _logger.LogError("Server certificate is not issued by a trusted CA!"); + return false; + } + + return true;; + }; } From 97c95b45db9e86b3c5148c3bedaa78b2a4b7510a Mon Sep 17 00:00:00 2001 From: Michael Clayson Date: Thu, 10 Apr 2025 12:21:03 +0100 Subject: [PATCH 3/3] Correctly Check CA --- .../NHS.Mesh.Client/Clients/MeshConnectClient.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs index 91517ff..21349d7 100644 --- a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs +++ b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs @@ -111,14 +111,14 @@ private async Task SendHttpRequest(HttpRequestMessage httpR } bool isValidCA = mailboxConfiguration.serverSideCertCollection - .Any(caCert => caCert.Thumbprint == cert.Issuer); + .Any(caCert => caCert.Thumbprint == cert.Thumbprint); if (!isValidCA) { _logger.LogError("Server certificate is not issued by a trusted CA!"); return false; } - return true;; + return true; }; }