Skip to content

Fallback to System Certificate Store when CA Certificate Path Is Not Present #991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
dckorben wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Fallback to System Certificate Store when CA Certificate Path Is Not Present #991

dckorben wants to merge 6 commits into from

Conversation

@dckorben
Copy link
Contributor

@dckorben dckorben commented Dec 23, 2025
edited
Loading

"Fixes" #990

This isn't final, too duplicative. Need someone to verify it works on Windows/Linux as we've been bitten by behavior differences before and I don't have an admin box I can trust the generated CA with.

@dimaaik27 Please verify this works in your implementation before I clean up the code.

@dckorben dckorben changed the title Develop990 Fallback to System Cert Store Dec 23, 2025
dckorben
dckorben commented Dec 23, 2025
View reviewed changes
QuickFIXn/Transport/SslStreamFactory.cs
return false;
}

// If CA Certificate is specified then validate against the CA certificate, otherwise it is validated against the installed certificates
Copy link
Contributor Author

@dckorben dckorben Dec 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Notable that this comment SAYS it validates against installed certificates but that is actually not true. It validates against installed certificates if it is a HTTPS/TLS connection, which was probably the intended meaning. If you specify a certificate but not a CA, it just fails. In the case of #990, you can specify a certificate from a Public CA but then validation fails and because many CAs use a lineage of certificates you cannot validate the chain with the existing configuration options.

@dckorben dckorben changed the title Fallback to System Cert Store Fallback to System Certificate Store when CA Certificate Path Is Not Present Dec 23, 2025
@dckorben
Copy link
Contributor Author

dckorben commented Dec 23, 2025
edited
Loading

I do see a potential issue here where it doubles up the certificate chain validation for TLS/HTTPS connections because the function VerifyRemoteCertificate isn't aware of the certificate source.

@dimaaik27
Copy link

dimaaik27 commented Dec 24, 2025

@dckorben yes it works now if I don't specify CA certificate and it checks it agains the installed ones.

@dckorben
Copy link
Contributor Author

dckorben commented Dec 24, 2025

Are you a Linux test by chance?

@dckorben
Copy link
Contributor Author

dckorben commented Dec 24, 2025

@dckorben yes it works now if I don't specify CA certificate and it checks it agains the installed ones.

The good aspect of this is you won't have to manage the CA key expirations manually. So, it's an improvement in function as well.

@dimaaik27
Copy link

dimaaik27 commented Dec 24, 2025

nope, windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dckorben @dimaaik27