Secure Web Socket client and FQDN

[AKumkov]

Hello.
I am trying to develop a softphone application that connects to a SIP server over a secured web socket connection. I came to some problems that I tried to solve myself. But I hope that someone could point me to a better solution.

During connection clientWebSocket.ConnectAsync(serverUri, m_cts.Token).ConfigureAwait(false); a ""System.Net.WebSockets.WebSocketException" exception is thrown with a message "AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch".
I found that FQDN name of a SIP server is resolved to an IP address and stored in a SIPEndpoint class.
The resulting URI is looking like "wss://172.27.29.54:5062". Of course, it will not accept a certificate where the subject's alternative name is configured like FQDN.
I extended SIPEndpoint class with a hostname property that is used to establish a connection and it worked out.
Is there a better way to do it?

The second problem is specific to Xamarin.Android. "System.Net.WebSockets.ClientWebSocket" class ignores Network Security Configuration and does not trust self-signed certificates.
I have seen dotnet/android#2176
Shall I switch to Ninja.WebSockets or wait until .NET6 or what ever else...

Third problem is that according to RFC rfc7118 a subprotocol "sip" hast to be used during websocket handshake and a library does not give any possibility to control this.

Thank you in adavance.

[sipsorcery]

I extended SIPEndpoint class with a hostname property that is used to establish a connection and it worked out.
Is there a better way to do it?

Yes, a better approach would be to use the SIPClientWebSocketChannel.SendSecureAsync method that takes the common name of the web socket server certificate. The problem is that method doesn't currently pass the server certificate name through. I've created #488 to fix it. I'll ping you from that issue when it's ready to test.

The second problem is specific to Xamarin.Android. "System.Net.WebSockets.ClientWebSocket" class ignores Network Security Configuration and does not trust self-signed certificates.

I don't know enough about Android/Xamarin to suggest a .NET fix. As an alternative you could use LetsEncrypt to generate a free valid certificate for your testing. In my experience it's now often quicker to get a valid free certificate than to wrestle with self signed certificates.

Third problem is that according to RFC rfc7118 a subprotocol "sip" hast to be used during websocket handshake and a library does not give any possibility to control this.

I did add the sip subprotocol constant but didn't wire it up for some reason that I can't recall. Possibly because, as you've stated, the .NET web socket client doesn't allow it. If that's the case the only fix may be to find an alternative client web socket implementation. I won't be able to do that at the moment but Pull Requests are always welcome.

[AKumkov]

Thank you for your answers!