CA Cert was not actually being checked

MWClayson-NHS · MWClayson-NHS · commit ee8caae42bfe · 2025-04-10T11:39:43.000+01:00
diff --git a/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs b/application/DotNetMeshClient/NHS.Mesh.Client/Clients/MeshConnectClient.cs
@@ -100,12 +100,26 @@ private async Task<HttpResponseMessage> SendHttpRequest(HttpRequestMessage httpR
                 {
                     chain.ChainPolicy.CustomTrustStore.Add(caCert);
                 }
-                if (cert != null)
+                if (cert == null)
                 {
-                    // Rebuild the chain with added certs
-                    return chain.Build(cert);
+                    return false;
                 }
-                return false;
+                // Rebuild the chain with added certs
+                if (!chain.Build(cert))
+                {
+                    return false;
+                }
+
+                bool isValidCA = mailboxConfiguration.serverSideCertCollection
+                    .Any(caCert => caCert.Thumbprint == cert.Issuer);
+                if (!isValidCA)
+                {
+                    _logger.LogError("Server certificate is not issued by a trusted CA!");
+                    return false;
+                }
+
+                return true;;
+
             };
         }
 
