Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MqttClient.ConnectAsync() with Tls enabled: 'RemoteCertificateChainErrors' (RevocationStatusUnknown) on Android, but not on iOS #1920

Open
FelixSt96 opened this issue Jan 31, 2024 · 1 comment
Open

MqttClient.ConnectAsync() with Tls enabled: 'RemoteCertificateChainErrors' (RevocationStatusUnknown) on Android, but not on iOS #1920

FelixSt96 opened this issue Jan 31, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@FelixSt96
Copy link

Describe the bug

We have a HiveMQ-Broker with TLS Encryption enabled. We were able to connect via iOS, but got an error on android, even though we do not use platform-specific code. To inspect the issue, we added a debug output to the CertificateValidationHandler, like described in the client sample 'Inspect_Certificate_Validation_Errors()'. There we can see the difference between iOS and Android.

For iOS we see, that there are no errors in validating the certificate chain.
For Android we see, that there are 'RemoteCertificateChainErrors', because the RevocationStatus is unknown.

The certificate chain presented by the HiveMQ Broker is valid, we already checked that and it is reproducable on different brokers not only HiveMQ.

Which component is your bug related to?

  • Client

To Reproduce

Steps to reproduce the behavior:

  1. Using this code, it's everything in there, like an example broker. Deploy it to android and iOS to get the described behavior.
`var mqttFactory = new MqttFactory();
 
        using (var mqttClient = mqttFactory.CreateMqttClient())
        {
            var mqttClientOptions = new MqttClientOptionsBuilder().WithTcpServer("689fc9876685493f8f11ba11d0154f35.s2.eu.hivemq.cloud", 8883)
                .WithCredentials("AppIot", "Michael1$")
                .WithTlsOptions(
                    o =>
                    {
                        o.WithCertificateValidationHandler(
                            eventArgs =>
                            {
                                System.Diagnostics.Debug.WriteLine(eventArgs.Certificate.Subject);
                                System.Diagnostics.Debug.WriteLine(eventArgs.Certificate.GetExpirationDateString());
                                System.Diagnostics.Debug.WriteLine(eventArgs.Chain.ChainPolicy.RevocationMode);
                                System.Diagnostics.Debug.WriteLine("Chain Certs");
                                eventArgs.Chain.ChainElements.ToList().ForEach(x => System.Diagnostics.Debug.WriteLine(x.Certificate.Subject));
                                System.Diagnostics.Debug.WriteLine("ChainElements Status");
                                eventArgs.Chain.ChainStatus.ToList().ForEach(x => System.Diagnostics.Debug.WriteLine($"{x.Status}: {x.StatusInformation}"));
                                System.Diagnostics.Debug.WriteLine("SSL Policy Error");
                                System.Diagnostics.Debug.WriteLine(eventArgs.SslPolicyErrors);
                                return true;
                            });
                    })
                .Build();
 
            // In MQTTv5 the response contains much more information.
            using (var timeout = new CancellationTokenSource(5000))
            {
                await mqttClient.ConnectAsync(mqttClientOptions, timeout.Token);
            }
        }

Expected behavior

Because we have the same connect-code and the same broker we connecting to, there should not be a different behavior on iOS and Android. Android should behave like iOS.

Screenshots

No screenshots, because all code needed is given in "To reproduce" above,

Additional context / logging

Add any other context about the problem here.
Include debugging or logging information here:

iOS debug log:

CN=*.s2.eu.hivemq.cloud
3/2/2024 11:20:23 PM
Online
Chain Certs
            CN=*.s2.eu.hivemq.cloud
            CN=R3, O=Let's Encrypt, C=US
            CN=ISRG Root X1, O=Internet Security Research Group, C=US
ChainElements Status
SSL Policy Error
            None

Android debug log:

CN=*.s2.eu.hivemq.cloud
02.03.2024 23:20:23
Online
Chain Certs
            CN=*.s2.eu.hivemq.cloud
            CN=R3, O=Let's Encrypt, C=US
            CN=ISRG Root X1, O=Internet Security Research Group, C=US
ChainElements Status
            RevocationStatusUnknown: Certificate does not specify OCSP responder
            RevocationStatusUnknown: The certificate's revocation status could not be determined.
SSL Policy Error
            RemoteCertificateChainErrors
@FelixSt96 FelixSt96 added the bug Something isn't working label Jan 31, 2024
@rido-min
Copy link
Member

which android version are you using? There are sone known incompatible OS with Let's Encrypt certs.

https://letsencrypt.org/docs/certificate-compatibility/

To workaround you can:

  • Configure the RevocationMode as NoCheck (not ideal), or
  • Include the CA file in your app, and use WithTrustChain

MQTTnet/Samples/Client/Client_Connection_Samples.cs

Line 452 in f82d382

.WithTrustChain(caChain)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rido-min @FelixSt96