Skip to content

Fix CurveServerCertificate setting wrong socket option#1164

Draft
drewnoakes with Copilot wants to merge 2 commits into
masterfrom
copilot/fix-curve-encryption-issue
Draft

Fix CurveServerCertificate setting wrong socket option#1164
drewnoakes with Copilot wants to merge 2 commits into
masterfrom
copilot/fix-curve-encryption-issue

Conversation

Copilot AI commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

CurveServerCertificate was setting CurveServerKey (the remote server's public key, a client-side option) instead of the server socket's own CurveSecretKey + CurvePublicKey. This left CurveSecretKey as all-zeros on the server, causing CurveServerMechanism to fail decrypting every client HELLO and silently reject all connections.

Changes

  • SocketOptions.cs / ThreadSafeSocketOptions.cs: CurveServerCertificate now sets CurveSecretKey + CurvePublicKey (the server's own key pair) instead of CurveServerKey. Requires a certificate with a secret key. Updated docs to clarify server-side intent and point clients to CurveServerKey = serverCert.PublicKey.
  • CurveTests.cs: Added CurveServerCertificateTest reproducing the reported pattern.

Before / After

// Before: silently misconfigured — CurveSecretKey stayed all-zeros
server.Options.CurveServer = true;
server.Options.CurveServerCertificate = serverCert; // was setting CurveServerKey — wrong

// After: works as the name implies
server.Options.CurveServer = true;
server.Options.CurveServerCertificate = serverCert; // sets CurveSecretKey + CurvePublicKey

// Clients specify the server's public key via:
client.Options.CurveServerKey = serverCert.PublicKey;
client.Options.CurveCertificate = clientCert;

…icKey)

Previously CurveServerCertificate set CurveServerKey (the remote server's
public key used by clients), which meant that a server socket using
CurveServerCertificate left its CurveSecretKey as all-zeros. This caused
CurveServerMechanism to fail decrypting client HELLO messages, rejecting
all clients with a correct certificate.

Now CurveServerCertificate sets CurveSecretKey and CurvePublicKey from
the provided certificate, matching its name and the natural server-side
configuration intent. Clients can use CurveServerKey = serverCert.PublicKey
to specify the server's public key for authentication.

Adds a regression test (CurveServerCertificateTest) that reproduces the
reported issue scenario.

Fixes #1163
Copilot AI changed the title [WIP] Fix Curve encryption not accepting client with valid certificate Fix CurveServerCertificate setting wrong socket option Jun 18, 2026
Copilot AI requested a review from drewnoakes June 18, 2026 06:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Curve encription doesn`t accept client with correct certificate

2 participants