xamarin.android.net.ServerCertificateCustomValidator_TrustManager does not check the TLS certificate chain correctly in .NET MAUI Android app Vulnerability issue

Description: X509TrustManager.checkServerTrusted(...) needs to throw a java.security.cert.CertificateException if the certificate chain cannot be trusted.
The class xamarin.android.net.ServerCertificateCustomValidator_TrustManager never does this.

Recommendations: Use the default X509TrustManager whenever possible. If you have to use a custom
implementation, make sure to properly verify the certificate chain.

Regrading this TLS certificate issue we have tried below steps to provide fixes from .NET MAUI framework but no luck for the solution.

(1) By setting AndroidHttpClientHandlerType property value to Unset/the empty string
(2) By explicitly passing the handler property in all httpclient API instances.
(3) By explicitly setting the TLS 1.2
(4) By increasing the minimum SDK verion to 26 from 24

In Visual Studio .NET MAUI framework By default, X509TrustManager is being used in the application.

Please help us to provide the solution for this certificate issue.

Thanks you!!

Yonglun Liu (Shanghai Wicresoft Co,.Ltd.) 38,066 Reputation points Microsoft Vendor

2023-07-10T05:33:19.0266667+00:00
For further investigation, could you please provide the following information?

Could you please provide a minimal code snippet or step that reproduces this issue and add it to your question?

I noticed that you provide a minimum SDK. Could you please provide what is the target SDK?

Your prompt reply will be highly appreciated.
SATHISH KUMAR M (Acsys International) 0 Reputation points

2023-07-10T06:41:05.9+00:00
Thanks for your reply. Please have a look on the below comments.

Could you please provide a minimal code snippet or step that reproduces this issue and add it to your question?
ANS: By default we are using httpclient for all api request. We are facing this issue in Generic not specific to any line of code.

I noticed that you provide a minimum SDK. Could you please provide what is the target SDK?
ANS: The target SDK version is API level 33.

Please let us know if any other information needed from our end. We are waiting for the solution for this issue.

Thank you!!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Yonglun Liu (Shanghai Wicresoft Co,.Ltd.) 38,066 Reputation points Microsoft Vendor

2023-07-11T07:59:28.53+00:00

After further investigation, this issue should be more of a variant of a known issue in Xamarin.Android: Custom validation callback for server certificates in SslStream does not work #7641.

According to the developer's reply, this issue has been fixed in .NET 8.

I'm already working on a solution to this problem: dotnet/runtime#77386. If everything goes well, it should be part of .NET 8.

For your issue, it is recommended that you file this issue in GitHub on Xamarin.Android - issues and the detailed reproduction steps to get our developers to fix this issue.
SATHISH KUMAR M (Acsys International) 0 Reputation points

2023-07-11T09:09:49.5166667+00:00

Thanks for your reply!!

As suggested, we already raised this issue in GitHub on https://github.com/dotnet/maui/discussions. Also we will wait for .NET 8 release and keep you posted.
Yonglun Liu (Shanghai Wicresoft Co,.Ltd.) 38,066 Reputation points Microsoft Vendor

2023-07-12T05:18:59.2866667+00:00

Thank for your feedback.

Share via

xamarin.android.net.ServerCertificateCustomValidator_TrustManager does not check the TLS certificate chain correctly in .NET MAUI Android app Vulnerability issue