0

I am creating an IMAP server in C#. I need to enable SSL connection security in it. I am using Thunderbird as an IMAP client to test my server. I tried following Microsoft link to enable SSL in IMAP server application https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=net-5.0

I got the " An established connection was aborted by the software in your host machine.." error On the read and write function of SSL stream. I tried using the stream reader and writer as well.

SslStream SslStream = new SslStream(TcpClient.GetStream());
SslStream.AuthenticateAsServer(ServerCertificate, true, System.Security.Authentication.SslProtocols.Tls12, true);
StreamReader Reader = new StreamReader(SslStream, Encoding.UTF8);
StreamWriter Writer = new StreamWriter(SslStream, Encoding.UTF8){ AutoFlush = true };

I created the SSL certificate using the following commands in openssl command prompt:

openssl genpkey -algorithm RSA -out private.key
openssl req -new -key private.key -out csr.csr
openssl x509 -req -days 365 -in csr.csr -signkey private.key -out certificate.crt
openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

The above commands created a p12 type certificate I also tried a pfx type certificate. I still faced issues on sslstream.Read function. I get this error "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.." on sslstream.Read function. I tried using pfx type self signed certificates as well. but SSLstream does not work for me.

the SslStream.AuthenticateAsServer(ServerCertificate, false, System.Security.Authentication.SslProtocols.Tls12, true); function works fine but for some reason, the string line = await reader.ReadLineAsync(); function keeps getting stuck.

I found this NetCoreServer package that can be used to create SSL server. It also has example code to use SSLServer class for SSL connection. But looks like Thunderbird does not accept self-signed certificate given with it. The session gets connected and disconnected immediately without creating a handshake.

Can someone help me how to enable my imap server application to create a successful SSL connection with imap clients like Thunderbird with self-signed certificates?

Fatima A.
  • 41
  • 13
  • 1
    You’ll have to have the client accept the self-signed certificate. To do so, it must be imported into the client’s trust store. – not2savvy Jun 26 '23 at 21:36
  • @not2savvy Thank you for your comment. I used the certificate with the localhost common name and my server is running on localhost:993. I still face the Exception on Thunderbird (When trying to add the certificate in the trust store): Wrong Site: the certificate belongs to a different site, which could mean that someone is trying to impersonate this site. Altho, clicking confirm the security exception makes it work. – Fatima A. Jun 27 '23 at 09:06
  • The domain name(s) in the certificate must match the domain under which the client has accessed the server. – not2savvy Jun 27 '23 at 18:04

1 Answers1

1

The server certificate is validated by the client to ensure, that it is communicating with the expected server and not some man in the middle attacker.

It would be terribly insecure if a server could make the client accept arbitrary self-signed certificates - because an attacker would then be able to do the same thing and by this undermining the reason certificates are used in the first place.

Instead the server needs to use a certificate, which is trusted by the client. This can be done with a certificate issued by a publicly trusted CA, because then the client can verify the certificate using existing trust relationships with this public CA. In case of self-signed certificate the certificate must instead be explicitly transmitted to each client in a secure way and imported in each client as trust, before it can be used for validation by the client.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Hi Steffen, Thank you for your answer. Yes, I know we need to have a certificate issued by a publicly trusted CA but as this project is currently in the testing phase we plan to use a self-signed certificate. I used the certificate with the localhost common name and my server is running on localhost:993. I still face the error on Thunderbird (When trying to add the certificate in trust store): Wrong Site: the certificate belongs to a different site, which could mean that someone is trying to impersonate this site. Altho, clicking confirm the security exception makes it work. – Fatima A. Jun 27 '23 at 09:02
  • @FatimaA.: like I said - if you don't want to use publicly trusted certificates you need to add the trust in each client manually – Steffen Ullrich Jun 27 '23 at 09:11
  • Thanks Steffen, I also checked with Claw Mail which is another IMAP client and we have to add an exception in the IMAP clients if we use a self-signed certificate. – Fatima A. Jun 27 '23 at 11:25