SuperSocket, an extensible socket application framework

New Post: SSL/TLS client authentication?

kerryjiang — Tue, 21 May 2013 16:47:20 GMT

I have added the feature you asked in the master branch:
http://supersocket.codeplex.com/SourceControl/changeset/24ab8aab1c783e745b3a5833f8581003f299a0a3

What you should do:
1) override the AppServer's method "ValidateClientCertificate(xxxx)"
2) set the attribute "clientCertificateRequired" in the certificate config node to be "true"

Source code checked in, #7a7c55d4cf054ae40468aca775c8f0c8fec63ad6

Kerry Jiang — Tue, 21 May 2013 11:31:08 GMT

fixed the InSending/InReceiving state uncontrolled issue

Source code checked in, #24ab8aab1c783e745b3a5833f8581003f299a0a3

Kerry Jiang — Tue, 21 May 2013 11:28:39 GMT

added the support for the client certificate validation

Commented Unassigned: Async Send Queuing [12394]

kerryjiang — Tue, 21 May 2013 10:17:24 GMT

Hello - I would like to throttle my sending of messages on a SocketSession based on the queue length. Is there a way you could expose a property with a count of the number of messages queued up?
Comments: The method TrySend(xxx) would be helpful. If it return false means the sending queue is full, you can use it to control the sending speed.

Created Unassigned: Async Send Queuing [12394]

krs43 — Tue, 21 May 2013 04:05:55 GMT

Hello - I would like to throttle my sending of messages on a SocketSession based on the queue length. Is there a way you could expose a property with a count of the number of messages queued up?

New Post: SSL/TLS client authentication?

kerryjiang — Sun, 19 May 2013 16:21:13 GMT

It's a good point, currently SuperSocket doesn't support it. But it seems easy to implement.

New Post: SSL/TLS client authentication?

cocowalla — Sun, 19 May 2013 16:11:56 GMT

Yes, but there is also something slightly different (quite commonly used!) called 'mutual authentication', where both the server and client authenticate each other.

I'm not sure if SuperSocket does provide any validation of client certificates today, as the SslStream constructor it uses doesn't enforce clients presenting certificates.

What I need to do is use a different SslStream constructor to specify that client certificates must be presented, and use a different AuthenticateAsServer overload to specify a validation callback.

Does the SuperSocket API expose any way to allow this?

New Post: SSL/TLS client authentication?

kerryjiang — Sun, 19 May 2013 15:54:40 GMT

No, it's automatically.

The server will validate the clients automatically.

The fact is the certificate is provided by the server side. It is same with the certificate of https of websites.

New Post: SSL/TLS client authentication?

cocowalla — Sun, 19 May 2013 15:47:14 GMT

I understand that it's up to the client to present (or not) a certificate to the server.

But it is of course up to the server how to authenticate the presented client certificates. In the MSDN article you linked to, it looks like you call SslStream.AuthenticateAsServer Method (X509Certificate, Boolean, SslProtocols, Boolean). It says this:

Called by servers to begin an asynchronous operation to authenticate the server and optionally the client using the specified certificates, requirements and security protocol

There is an SslStream constructor that lets you specify a callback to allow you to validate the certificate:

SslStream Constructor (Stream, Boolean, RemoteCertificateValidationCallback)

Initializes a new instance of the SslStream class using the specified Stream, stream closure behavior and certificate validation delegate

I found a code snippet here.

So, does the SuperSocket API expose any way to specify the validation callback, and to request that clients must present a certificate?

New Post: Support for protocol with message length at start?

cocowalla — Sun, 19 May 2013 15:31:44 GMT

As above, that's exactly what I did.

New Post: Support for protocol with message length at start?

kerryjiang — Sun, 19 May 2013 14:54:20 GMT

It seems you need to implement your own ReceiveFilter by yourself.

New Post: SSL/TLS client authentication?

kerryjiang — Sun, 19 May 2013 14:53:17 GMT

No, you are wrong, what you need is AuthenticateAsClient. The client doesn't have relationship with SuperSocket. Please google more articles on how to use SslStream in cleint side.

New Post: SSL/TLS client authentication?

cocowalla — Sun, 19 May 2013 14:44:05 GMT

OK, looks like I need to hook into the AuthenticateAsServer methods. Does the SuperSocket API expose any way to do this?

New Post: Support for protocol with message length at start?

cocowalla — Sun, 19 May 2013 14:40:49 GMT

Actually, it's someone elses protocol, so I can't redesign it ;)

You are right though, it's an odd design choice.

New Post: Support for protocol with message length at start?

kerryjiang — Sun, 19 May 2013 14:12:39 GMT

Actually, you should re-design your protocol.

Don't represent length by chars. Because if the length is 120, you require 3 bytes, but one byte can represent 0-255 and two bytes can represent 0 - 256 * 255.

New Post: SSL/TLS client authentication?

kerryjiang — Sun, 19 May 2013 14:05:54 GMT

Please read this doc:
http://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.100).aspx

New Post: Support for protocol with message length at start?

cocowalla — Sun, 19 May 2013 13:55:03 GMT

I had read the documentation, and seen FixedHeaderReceiveFilter - but as I mentioned, "message length is not a fixed size" :)

I came up with a solution by extending TerminatorReceiveFilter, so the underlying TerminatorReceiveFilter gets the message length, then filter code similar to that in FixedHeaderReceiveFilter is used after the message length is known.

New Post: SSL/TLS client authentication?

cocowalla — Sun, 19 May 2013 13:38:32 GMT

I've read the documentation, but it only discusses the certificate at the server end - it doesn't mention certificates presented by clients.

What functions are provided for us to perform authentication of those certificates? (e.g. checking against a list of valid thumbprints, or checking the issuer is trusted)

New Post: Support for protocol with message length at start?

kerryjiang — Sun, 19 May 2013 02:45:05 GMT

Please read the section FixedHeaderReceiveFilter in this doc:
http://docs.supersocket.net/v1-5/The-Built-in-Common-Format-Protocol-Implementation-Tools

New Post: SSL/TLS client authentication?

kerryjiang — Sun, 19 May 2013 02:44:04 GMT

Please read this doc at first:
http://docs.supersocket.net/v1-5/Enable-TLS-SSL-trasnferring-layer-encryption-in-SuperSocket