Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpClientHandler.ServerCertificateCustomValidationCallback requires .NET Framework 4.7.1 #5

Open
tloveland1 opened this issue Jan 3, 2022 · 7 comments
Open

HttpClientHandler.ServerCertificateCustomValidationCallback requires .NET Framework 4.7.1 #5

tloveland1 opened this issue Jan 3, 2022 · 7 comments

Comments

@tloveland1
Copy link

tloveland1 commented Jan 3, 2022
edited
Loading

The repo states the library requires .NET 4.6.1, but this property did not exist until .NET Framework 4.7.1:

duo_universal_csharp/DuoUniversal/Client.cs

Line 417 in 4a8d878

ServerCertificateCustomValidationCallback = certPinner

https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.servercertificatecustomvalidationcallback?view=netframework-4.7.1

Trying to use the client on a Windows machine that does not have at least .NET Framework 4.7.1 would most likely cause a runtime error. It would be really nice to use this with my .NET 4.6.2 web app, but I foresee this being a reason I can't.
@AaronAtDuo
Copy link
Contributor

I just ran across this myself and hadn't updated the repo yet. I think it is very likely I'll have to change the minimum .NET framework requirement to 4.7.1 because of this. I looked around but 4.6 doesn't seem to have anything that can accomplish the same task.

@tloveland1
Copy link
Author

tloveland1 commented Jan 7, 2022
edited
Loading

What about using System.Net.Http.WinHttpHandler instead? (idea taken from dotnet/runtime#15697 (comment))

        /// <summary>
        /// Get the appropriate HttpMessageHandler based on the builder settings:
        ///   If a custom handler was specified, return that one (TESTS ONLY)
        ///   Otherwise, return a Handler with the appropriate settings
        /// </summary>
        /// <returns>An HttpMessageHandler for use in a client</returns>
        private HttpMessageHandler GetMessageHandler()
        {
            // Custom handler takes precedence
            if (_httpMessageHandler != null)
            {
                return _httpMessageHandler;
            }

            var certPinner = GetCertificatePinner();
            return new WinHttpHandler()
            {
                ServerCertificateValidationCallback = certPinner
            };

            //return new HttpClientHandler
            //{
            //    ServerCertificateCustomValidationCallback = certPinner
            //};
        }

Based on the dependencies listed from nuget, it seems like it should be compatible with 4.6.1:
image

@AaronAtDuo
Copy link
Contributor

@tloveland1 My biggest concern there is that, per the docs at https://docs.microsoft.com/en-us/dotnet/api/system.net.http.winhttphandler?view=dotnet-plat-ext-6.0

WinHttpHandler is implemented as a thin wrapper on the WinHTTP interface of Windows and is only supported on Windows systems.

I think this may be a deal-breaker, as we want to support Linux and Mac .NET applications as well.

@tloveland1
Copy link
Author

Ah, I did not see that. What about using it conditionally just for Windows platforms?

            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
            {
                return new WinHttpHandler()
                {
                    ServerCertificateValidationCallback = certPinner
                };
            }
            else
            {
                return new HttpClientHandler
                {
                    ServerCertificateCustomValidationCallback = certPinner
                };
            }

@AaronAtDuo
Copy link
Contributor

I'll look into it. The docs were not very clear on whether using the ServerCertificateValidationCallback shifted the entire responsibility of certificate validation onto the implementer, so I'll need to test that.

(As opposed to ServerCertificateCustomValidationCallback, which I confirmed does some initial checking - signatures, etc. - and sends the delegate that information in SslPolicyErrors to use in making the decision.)

@AaronAtDuo
Copy link
Contributor

@tloveland1 I'm taking a look at this again, and the documentation at https://docs.microsoft.com/en-us/dotnet/api/system.net.http.winhttphandler.servercertificatevalidationcallback indicates this property is available in .NET core 1.0 and 1.1, some .NET platform extensions, and some Xamarin stuff. I'm not very familiar with .NET environments, but doesn't this mean that it's not guaranteed to be available in .NET Framework applications?

@tloveland1
Copy link
Author

tloveland1 commented Feb 17, 2022
edited
Loading

I believe that refers to the compatibility of System.Net.Http.WinHttpHandler.dll, which provides the WinHttpHandler class. You would pull in System.Net.Http.WinHttpHandler.dll as a package in this library to use it (https://www.nuget.org/packages/System.Net.Http.WinHttpHandler/)

That nuget package lists compatibility with .NET Framework 4.6.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AaronAtDuo @tloveland1