Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in MailService.DefaultServerCertificateValidationCallback #977

Closed
jeglinski opened this issue Jan 22, 2020 · 2 comments
Closed

Bug in MailService.DefaultServerCertificateValidationCallback #977

jeglinski opened this issue Jan 22, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@jeglinski
Copy link

Issue

In MailService.DefaultServerCertificateValidationCallback the return value is always false when the certificate chain is checked, e.g. if only SslPolicyErrors.RemoteCertificateChainErrors is detected.

The reason is the incorrect comparison between the certificate (of type X509Certificate) and the certificate in certificate chain (of type X509Certificate2):

MailKit/MailKit/MailService.cs

Lines 324 to 325 in 0582288

if (element.Certificate != certificate)
continue;

I have tested this with different certificate chains, also of different length for sending an e-mail via SMTP (with ConnectAsync(...) and Connect(...))

The searched certificate is not found in the certificate chain, although it exists.

My suggestion for a solution
Replace the mentioned code with the following:

if (!element.Certificate.GetCertHashString().Equals(certificate.GetCertHashString(), StringComparison.OrdinalIgnoreCase))
	continue;

The method X509Certificate.GetCertHashString or X509Certificate2.Thumbprint both return the SHA1 hash value for the X.509v3 certificate as a hexadecimal string.

For more information see :
https://github.com/dotnet/corefx/issues/16493
https://docs.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.x509certificate.getcerthashstring
https://docs.microsoft.com/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.thumbprint

Environment

  • OS: Windows 10 x64, Windows Server 2016
  • .NET Framework 4.7.2, .NET.Core 2.2
  • Intranet SMTP server with a self signed certificate.
jstedfast added a commit that referenced this issue Jan 22, 2020
@jstedfast
Fixed MailService.DefaultServerCertificateValidationCallback() logic
5065e5b 
Compare X509Certificates via their hashes.

Fixes issue #977
@jstedfast
Copy link
Owner

Thanks

@jstedfast jstedfast added the bug Something isn't working label Jan 22, 2020
jstedfast added a commit that referenced this issue Jan 22, 2020
@jstedfast
Fixed MailService.DefaultServerCertificateValidationCallback() logic
3af5ca7 
Compare X509Certificates via their hashes.

Fixes issue #977
@jstedfast
Copy link
Owner

jstedfast commented Feb 15, 2020
edited
Loading

Just released MailKit 2.5.1 with this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jstedfast @jeglinski