4

With this code, for example:


        private static void OnConnect(IAsyncResult ar)
        {
            var clientConnection = listener.EndAcceptTcpClient(ar);
            listener.BeginAcceptTcpClient(OnConnect, ar.AsyncState);

            try
            {
                // SSL the client
                var clientStream = clientConnection.GetStream();
                var clientSecureStream = new SslStream(clientStream, false);
                clientSecureStream.AuthenticateAsServer(certificate);
                ...
                ...

I'm able to successfully establish an incoming SSL connection. The client that is connecting to this server specifies a target host when authenticating as a client: https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_

How do I retrieve the value of this target host in my code above?

I've looked into the RemoteCertificateValidationCallback parameter for the SslStream constructor, but the internet is telling me that this callback is only meant for client side, and not server side (I tried it and the targetHost argument is always an empty string).

I've searched here and online and I'm having trouble finding a solution...

Should an SslServer not be able to send different data depending on the target host? Does SslStream just not support this scenario? Am I missing some concept completely?

Simoyd
  • 506
  • 4
  • 11
  • There is no difference in a server or a client. A server can be a listener. The term server has different meaning at different network layers. There are 7 different network layers. A Server Machine is a high speed computer with lots of memory that many clients connect. At the connection layer you have a two ends of a connection 1) Server (Listener) that start first 2) Client that connects to the server. At the connection layer the database is always the server/listener. Any application that connects to the database is the client. – jdweng Jan 26 '19 at 23:05
  • 1
    I mean that's potentially interesting but I don't see how it's relevant... What I've done to work around the issue is to create an intermediate stream where I can read the unencrypted data and the data is also still sent to the SslStream. Through this I'm able to look for ".com" and pull the target host out. There must be a better way to do this... – Simoyd Jan 27 '19 at 02:50
  • 1
    SSL/TLS doesn't include the requested target name during handshake (server doesn't have access to what client requests, it just sends back a certificate). But SSL/TLS also defines extensions to the handshake, and the one you're looking for is SNI (Server Name Indication https://en.wikipedia.org/wiki/Server_Name_Indication). I believe SslStream doesn't implement support for that https://visualstudio.uservoice.com/forums/121579-visual-studio-2015/suggestions/2564042-add-support-for-the-tls-server-name-indication-sn for server-side. See also https://github.com/dotnet/corefx/issues/9608 – Simon Mourier Feb 09 '19 at 09:39
  • There's an idea [here](https://stackoverflow.com/a/27752277/1202807) of peeking at the Stream to read the host name, but it sounds difficult. – Gabriel Luci Feb 14 '19 at 00:39
  • Are you attempting to provide Web(https) services over this connection? –  Feb 15 '19 at 01:13

0 Answers0