Hi,
This is a follow-up to a previous question (https://forum.rebex.net/17426/server-certificate-validation-with-rebex-sftp-client-library )
To summarize: We have a client/server application, where the server (console app on Windows) is exposing an SFTP endpoint, implemented with Rebex FileServer library, and the client is connecting to it, using the Rebex SFTP library.
I am trying to validate the server I am connecting to, from the client, using a server X.509 certificate.
The SFTP server is started like this:
X509Certificate2 cert= // use X509Store class and X509FindType.FindByThumbprint
Certificate serverCert = new Certificate(cert);
SshPrivateKey sshPrivateKey = new SshPrivateKey(serverCert);
_sftpServer = new FileServer();
_sftpServer.Bind(port, FileServerProtocol.Sftp);
_sftpServer.Keys.Add(sshPrivateKey);
_sftpServer.Start();
and the client validates the server key like this:
var ftp = new Sftp();
ftp.Connect(url, this.Port);
SshPublicKey serverKey = ftp.ServerKey;
var certificateChain = serverKey.GetCertificateChain();
var validationResult = certificateChain.Validate(ValidationOptions.SkipRevocationCheck);
if (!validationResult.Valid)
{ ... }
If the server certificate is signed by an intermediate CA,
and the client is run on a machine where the cert. for that intermediate CA is not present in the cert. store (ex.: on Linux and mono store) (only the root CA exists in the store on the client),
the validation will fail (somehow expected).
If the server cert. is signed directly by a root CA, or if the intermediate CA already exists on the client store (ex.: on Windows), the validation works ok.
Is there a way to configure the Rebex SFTP file server, in order to send the entire intermediate CA chain to the client to be validated? (or other possible solution..)
(manually installing the intermediate CA certificates on all clients is not always doable)