SFTP server certificate chain validation - part 2

0 votes
asked Oct 22 by tudor_t (190 points)

Hi,
This is a follow-up to a previous question (https://forum.rebex.net/17426/server-certificate-validation-with-rebex-sftp-client-library )
To summarize: We have a client/server application, where the server (console app on Windows) is exposing an SFTP endpoint, implemented with Rebex FileServer library, and the client is connecting to it, using the Rebex SFTP library.
I am trying to validate the server I am connecting to, from the client, using a server X.509 certificate.

The SFTP server is started like this:

X509Certificate2 cert= // use X509Store class and X509FindType.FindByThumbprint
Certificate serverCert = new Certificate(cert);
SshPrivateKey sshPrivateKey = new SshPrivateKey(serverCert);
_sftpServer = new FileServer();
_sftpServer.Bind(port, FileServerProtocol.Sftp);
_sftpServer.Keys.Add(sshPrivateKey);
_sftpServer.Start();

and the client validates the server key like this:

var ftp = new Sftp();
ftp.Connect(url, this.Port);
SshPublicKey serverKey = ftp.ServerKey;
var certificateChain = serverKey.GetCertificateChain();
var validationResult = certificateChain.Validate(ValidationOptions.SkipRevocationCheck);
if (!validationResult.Valid)
{ ... }

If the server certificate is signed by an intermediate CA,
and the client is run on a machine where the cert. for that intermediate CA is not present in the cert. store (ex.: on Linux and mono store) (only the root CA exists in the store on the client),
the validation will fail (somehow expected).

If the server cert. is signed directly by a root CA, or if the intermediate CA already exists on the client store (ex.: on Windows), the validation works ok.

Is there a way to configure the Rebex SFTP file server, in order to send the entire intermediate CA chain to the client to be validated? (or other possible solution..)

(manually installing the intermediate CA certificates on all clients is not always doable)

Applies to: Rebex SFTP

1 Answer

+1 vote
answered Oct 25 by Lukas Pokorny (126,870 points)
selected Oct 25 by tudor_t
 
Best answer

Strangely, the x509v3-sign-rsa cipher, which is what Rebex libraries currently use for X.509 certificate authentication in SSH, lacks the ability to transmit intermediate certificates to the client.

Fortunately, this is going to be resolved as soon as next month in Rebex SFTP / Rebex File Server R6.0, which will add support for RFC 6187's x509v3-rsa2048-sha256 cipher.

If you would like to try a preview release of R6.0 now (the feature is already implemented), please contact us at support@rebex.net and we'll send you a download link.

commented Oct 25 by tudor_t (190 points)
Thanks! I think we can wait until the next version of Rebex FileServer will be released.
...