Questions regarding code security and SSL

[teSill]

Hello,

first of all, thank you for all the hard work that went into the library! Using it has been a great time.

The first question I have is regarding my implementation for keeping track of connected client. I'm currently using Ip ports to detect and pass the network messages to the right client, which I've read mixed opinions about it.

public static Dictionary<string, NetworkClient> ConnectedClientsByIpPort { get; private set; } = new Dictionary<string, NetworkClient>();

private static void MessageReceived(object sender, MessageReceivedEventArgs args) {
	DeserializeMessage(args, Encoding.UTF8.GetString(args.Data));
}

private static void DeserializeMessage(MessageReceivedEventArgs args, string data) {
	var deserializedMessage = (JObject)JsonConvert.DeserializeObject(data);
	if (deserializedMessage["MsgType"] == null) {
		return;
	}

	var messageTypeString = deserializedMessage["MsgType"].ToString();

	if (!string.IsNullOrEmpty(messageTypeString)) {
		if (int.TryParse(messageTypeString, out var value)) {
			ConnectedClientsByIpPort[args.IpPort].ProcessReceivedMessage(args, deserializedMessage, (MessageType)value);
		}
	}
}

Is this a bad idea? Would using some session token that would then be a part of every network message be a better idea to make sure that messages reach the correct users?

The second concern I have is regarding the use of SSL, though that has less to do with the library itself and more with my lack of understanding of that entire subject. There was some great discussion around it here #123 and I've read it through, but I still have some questions.

To preface my scenario, my project is a video game (Client in the Unity engine and server .NET Core). The server will be running on Ubuntu and the client will be built for multiple platforms (PC, Android, iOS).

Is the SSL structure used in the WatsonTcp example sufficient for a set up like this? The certificate password would of course have to be stored somewhere else, but I haven't been able to find a solid implementation for that yet. Does an implementation even exist where we can be sure that the client is able to fetch the password from somewhere, sign the certificate in the build and connect to the server with it, all without the user being able to pick it up somewhere in between? Or am I fundamentally misunderstanding something about the whole process?

[jchristn]

Hi @teSill thank you for your note. First, referencing by ip:port ensures that when you send a message it goes to the correct peer. It links specifically to the underlying TcpClient. Regarding deserialization, I would deserialize directly to a class instance rather than using a JObject for a variety of reasons. First is the ability to directly access class members with an associated type rather than having to do so by a string key and then cast to the appropriate type. In terms of SSL, I intentionally left that part out of the library. It's a hard problem (key management and security), but there are solutions out there such as HashiCorp Vault that may be appropriate.