/// <summary>
///
/// </summary>
/// <param name="dh"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
public virtual void AuthenticateAsServer(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
{
EndAuthenticateAsServer(BeginAuthenticateAsServer(dh, enabledSslProtocols, sslStrength, null, null));
}
public SslStreamServer(
Stream stream,
bool ownStream,
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
RemoteCertificateValidationHandler remote_callback)
: base(stream, ownStream)
{
checkCertificateRevocationStatus = checkCertificateRevocation;
remoteCertificateSelectionCallback = remote_callback;
// Initialize the SslContext object
InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation);
// Initalize the Ssl object
ssl = new Ssl(sslContext);
sniCb = sniExt.ServerSniCb;
sniExt.AttachSniExtensionServer(ssl.Handle, sslContext.Handle, sniCb);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
private void InitializeServerContext(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
{
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_server_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
// Set the cipher string
sslContext.SetCipherList("ADH");
sslContext.SetTmpDhCallback(dh);
}
/// <summary>
///
/// </summary>
/// <param name="targetHost"></param>
/// <param name="clientCertificates"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsClient(
string targetHost,
X509List clientCertificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
End = ConnectionEnd.Client;
// Create the stream
var client_stream = new SslStreamClient(InnerStream, false, targetHost, clientCertificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback, localCertificateSelectionCallback);
// set the internal stream
sslStream = client_stream;
// start the write operation
return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState));
}
/// <summary>
///
/// </summary>
/// <param name="serverCertificate"></param>
/// <param name="clientCertificateRequired"></param>
/// <param name="caCerts"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsServer(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
End = ConnectionEnd.Server;
// Initialize the server stream
var server_stream = new SslStreamServer(InnerStream, false, serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback);
// Set the internal sslStream
sslStream = server_stream;
// Start the read operation
return(BeginRead(new byte[0], 0, 0, asyncCallback, asyncState));
}
public SslStreamServer(
Stream stream,
bool ownStream,
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
RemoteCertificateValidationHandler remote_callback)
: base(stream, ownStream)
{
this.checkCertificateRevocationStatus = checkCertificateRevocation;
this.remoteCertificateSelectionCallback = remote_callback;
// Initialize the SslContext object
InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation);
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
/// <summary>
/// see https://www.openssl.org/docs/apps/ciphers.html
/// for details about OpenSSL cipher string
/// </summary>
/// <returns>The string.</returns>
/// <param name="sslProtocols">SSL protocols.</param>
/// <param name="sslStrength">SSL strength.</param>
public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength)
{
var parts = new List<string>();
if (EnumExtensions.HasFlag(sslStrength, SslStrength.High))
{
parts.Add("HIGH");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium))
{
parts.Add("MEDIUM");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low))
{
parts.Add("LOW");
}
if ((sslProtocols == SslProtocols.Default) ||
(sslProtocols == SslProtocols.Tls) ||
(sslProtocols == SslProtocols.Ssl3))
{
parts.Add("!SSLv2");
}
parts.Add("!ADH");
parts.Add("!aNULL");
parts.Add("!eNULL");
parts.Add("@STRENGTH");
return string.Join(":", parts.ToArray());
}
/// <summary>
/// see https://www.openssl.org/docs/apps/ciphers.html
/// for details about OpenSSL cipher string
/// </summary>
/// <returns>The string.</returns>
/// <param name="sslProtocols">SSL protocols.</param>
/// <param name="sslStrength">SSL strength.</param>
public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength)
{
var parts = new List<string>();
if (EnumExtensions.HasFlag(sslStrength, SslStrength.High))
{
parts.Add("HIGH");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium))
{
parts.Add("MEDIUM");
}
if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low))
{
parts.Add("LOW");
}
if ((sslProtocols == SslProtocols.Default) ||
(sslProtocols == SslProtocols.Tls) ||
(sslProtocols == SslProtocols.Ssl3))
{
parts.Add("!SSLv2");
}
parts.Add("!ADH");
parts.Add("!aNULL");
parts.Add("!eNULL");
parts.Add("@STRENGTH");
return string.Join(":", parts.ToArray());
}
/// <summary>
///
/// </summary>
/// <param name="targetHost"></param>
/// <param name="certificates"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
public virtual void AuthenticateAsClient(
string targetHost,
X509List certificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
EndAuthenticateAsClient(BeginAuthenticateAsClient(targetHost, certificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null));
}
/// <summary>
///
/// </summary>
/// <param name="serverCertificate"></param>
/// <param name="clientCertificateRequired"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
public virtual void AuthenticateAsServer(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
EndAuthenticateAsServer(BeginAuthenticateAsServer(serverCertificate, clientCertificateRequired, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null));
}
internal string GetCipherString(bool FIPSmode, SslProtocols sslProtocols, SslStrength sslStrength)
{
string str = "";
if (FIPSmode || ((sslStrength & SslStrength.High) == SslStrength.High))
{
str = "HIGH";
}
if (FIPSmode || ((sslStrength & SslStrength.Medium) == SslStrength.Medium))
{
if (String.IsNullOrEmpty(str))
{
str = "MEDIUM";
}
else
{
str += ":MEDIUM";
}
}
if (!FIPSmode && ((sslStrength & SslStrength.Low) == SslStrength.Low))
{
if (String.IsNullOrEmpty(str))
{
str = "LOW";
}
else
{
str += ":LOW";
}
}
if ((sslProtocols == SslProtocols.Default) ||
(sslProtocols == SslProtocols.Tls) ||
(sslProtocols == SslProtocols.Ssl3))
{
if (String.IsNullOrEmpty(str))
{
str = "!SSLv2";
}
else
{
str += ":!SSLv2";
}
}
if (FIPSmode)
{
str += ":AES:3DES:SHA:!DES:!MD5:!IDEA:!RC2:!RC4";
}
// Now format the return string
string cipherString = String.Format("{0}:!ADH:!aNULL:!eNULL:@STRENGTH", str);
return(cipherString);
}
protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation)
{
// Initialize the context with the specified ssl version
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_client_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback);
// Set the enabled cipher list
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (remoteCertificateSelectionCallback != null)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
// Set the CA list into the store
if (caCertificates != null)
{
X509Store store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
/// <summary>
///
/// </summary>
/// <param name="dh"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsServer(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
// Initialize the server stream
SslAnonStreamServer server_stream = new SslAnonStreamServer(InnerStream, false, dh, enabledSslProtocols, sslStrength);
// Set the internal sslStream
sslStream = server_stream;
// Start the read operation
return(BeginRead(new byte[0], 0, 0, asyncCallback, asyncState));
}
public SslStreamClient(Stream stream,
bool ownStream,
string targetHost,
X509List clientCertificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocationStatus,
RemoteCertificateValidationHandler remoteCallback,
LocalCertificateSelectionHandler localCallback)
: base(stream, ownStream)
{
this.targetHost = targetHost;
this.clientCertificates = clientCertificates;
this.caCertificates = caCertificates;
this.checkCertificateRevocationStatus = checkCertificateRevocationStatus;
this.remoteCertificateSelectionCallback = remoteCallback;
this.localCertificateSelectionCallback = localCallback;
this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback);
InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus);
}
public SslStreamClient(Stream stream,
bool ownStream,
string targetHost,
X509List clientCertificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocationStatus,
RemoteCertificateValidationHandler remoteCallback,
LocalCertificateSelectionHandler localCallback)
: base(stream, ownStream)
{
this.targetHost = targetHost;
this.clientCertificates = clientCertificates;
this.caCertificates = caCertificates;
this.checkCertificateRevocationStatus = checkCertificateRevocationStatus;
this.remoteCertificateSelectionCallback = remoteCallback;
this.localCertificateSelectionCallback = localCallback;
this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback);
InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus);
}
public SslAnonStreamServer(
Stream stream,
bool ownStream,
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
: base(stream, ownStream)
{
// Initialize the SslContext object
InitializeServerContext(dh, enabledSslProtocols, sslStrength);
// Initalize the Ssl object
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
public SslAnonStreamServer(
Stream stream,
bool ownStream,
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
: base(stream, ownStream)
{
// Initialize the SslContext object
InitializeServerContext(dh, enabledSslProtocols, sslStrength);
// Initalize the Ssl object
ssl = new Ssl(sslContext);
// Initialze the read/write bio
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
// Set the read/write bio's into the the Ssl object
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into server mode
ssl.SetAcceptState();
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_server_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
/*
* // Initialize the context with the specified ssl version
* switch (enabledSslProtocols)
* {
* case SslProtocols.None:
* throw new ArgumentException("SslProtocol.None is not supported", "enabledSslProtocols");
* break;
* case SslProtocols.Ssl2:
* sslContext = new SslContext(SslMethod.SSLv2_server_method);
* break;
* case SslProtocols.Ssl3:
* case SslProtocols.Default:
* sslContext = new SslContext(SslMethod.SSLv3_server_method);
* break;
* case SslProtocols.Tls:
* sslContext = new SslContext(SslMethod.TLSv1_server_method);
* break;
* }
*/
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the workaround options
sslContext.Options = SslOptions.SSL_OP_ALL;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
X509Store cert_store = new X509Store(caCerts, false);
sslContext.SetCertificateStore(cert_store);
Core.Stack <X509Name> name_stack = new Core.Stack <X509Name>();
foreach (X509Certificate cert in caCerts)
{
X509Name subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
}
protected void InitializeClientContext(
X509List certificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
sslContext.Options = options;
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(OnClientCertificate);
// Set the enabled cipher list
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (OnRemoteCertificate != null)
{
sslContext.SetVerify(
VerifyMode.SSL_VERIFY_PEER |
VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
OnRemoteCertificate);
}
// Set the CA list into the store
if (caCertificates != null)
{
var store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
sniCb = sniExt.ClientSniCb;
sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the workaround options
sslContext.Options = options | SslOptions.SSL_OP_ALL;
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
sslContext.SetCertificateStore(new X509Store(caCerts, false));
var name_stack = new Core.Stack <X509Name>();
foreach (var cert in caCerts)
{
var subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
}
protected void InitializeClientContext(
X509List certificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
sslContext.Options = options;
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(OnClientCertificate);
// Set the enabled cipher list
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (OnRemoteCertificate != null)
{
sslContext.SetVerify(
VerifyMode.SSL_VERIFY_PEER |
VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
OnRemoteCertificate);
}
// Set the CA list into the store
if (caCertificates != null)
{
var store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
sniCb = sniExt.ClientSniCb;
sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
/// <summary>
///
/// </summary>
/// <param name="serverCertificate"></param>
/// <param name="clientCertificateRequired"></param>
/// <param name="caCerts"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsServer(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
End = ConnectionEnd.Server;
// Initialize the server stream
var server_stream = new SslStreamServer(
InnerStream,
serverCertificate,
clientCertificateRequired,
caCerts,
enabledSslProtocols,
sslStrength,
checkCertificateRevocation,
remoteCertificateValidationCallback);
// Set the internal sslStream
sslStream = server_stream;
// Start the read operation
return BeginRead(new byte[0], 0, 0, asyncCallback, asyncState);
}
/// <summary>
///
/// </summary>
/// <param name="serverCertificate"></param>
/// <param name="clientCertificateRequired"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
public virtual void AuthenticateAsServer(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
EndAuthenticateAsServer(BeginAuthenticateAsServer(
serverCertificate,
clientCertificateRequired,
caCertificates,
enabledSslProtocols,
sslStrength,
checkCertificateRevocation,
null,
null));
}
/// <summary>
///
/// </summary>
/// <param name="targetHost"></param>
/// <param name="clientCertificates"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsClient(
string targetHost,
X509List clientCertificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
End = ConnectionEnd.Client;
// Create the stream
var client_stream = new SslStreamClient(
InnerStream,
targetHost,
clientCertificates,
caCertificates,
enabledSslProtocols,
sslStrength,
checkCertificateRevocation,
remoteCertificateValidationCallback,
localCertificateSelectionCallback);
// set the internal stream
sslStream = client_stream;
// start the write operation
return BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState);
}
/// <summary>
///
/// </summary>
/// <param name="dh"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
public virtual void AuthenticateAsServer(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
{
EndAuthenticateAsServer(BeginAuthenticateAsServer(dh, enabledSslProtocols, sslStrength, null, null));
}
/// <summary>
///
/// </summary>
/// <param name="dh"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="asyncCallback"></param>
/// <param name="asyncState"></param>
/// <returns></returns>
public virtual IAsyncResult BeginAuthenticateAsServer(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
AsyncCallback asyncCallback,
Object asyncState)
{
if (IsAuthenticated)
{
throw new InvalidOperationException("SslStream is already authenticated");
}
// Initialize the server stream
SslAnonStreamServer server_stream = new SslAnonStreamServer(InnerStream, false, dh, enabledSslProtocols, sslStrength);
// Set the internal sslStream
sslStream = server_stream;
// Start the read operation
return BeginRead(new byte[0], 0, 0, asyncCallback, asyncState);
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context
sslContext = new SslContext(SslMethod.TLSv1_server_method, ConnectionEnd.Server, true, new[] { Protocols.Http2, Protocols.Http1 });
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the workaround options
sslContext.Options = SslOptions.SSL_OP_ALL;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
var cert_store = new X509Store(caCerts, false);
sslContext.SetCertificateStore(cert_store);
Stack<X509Name> name_stack = new Core.Stack<X509Name>();
foreach (X509Certificate cert in caCerts)
{
X509Name subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes("AppDomainHost: UnitTests12345678"/*AppDomain.CurrentDomain.FriendlyName*/));
}
internal string GetCipherString(bool FIPSmode, SslProtocols sslProtocols, SslStrength sslStrength)
{
string str = "";
if (FIPSmode || ((sslStrength & SslStrength.High) == SslStrength.High))
{
str = "HIGH";
}
if (FIPSmode || ((sslStrength & SslStrength.Medium) == SslStrength.Medium))
{
if (String.IsNullOrEmpty(str))
{
str = "MEDIUM";
}
else
{
str += ":MEDIUM";
}
}
if (!FIPSmode && ((sslStrength & SslStrength.Low) == SslStrength.Low))
{
if (String.IsNullOrEmpty(str))
{
str = "LOW";
}
else
{
str += ":LOW";
}
}
if ((sslProtocols == SslProtocols.Default) ||
(sslProtocols == SslProtocols.Tls) ||
(sslProtocols == SslProtocols.Ssl3))
{
if (String.IsNullOrEmpty(str))
{
str = "!SSLv2";
}
else
{
str += ":!SSLv2";
}
}
if (FIPSmode)
{
str += ":AES:3DES:SHA:!DES:!MD5:!IDEA:!RC2:!RC4";
}
// Now format the return string
return String.Format("{0}:!ADH:!aNULL:!eNULL:@STRENGTH", str);
}
protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation)
{
// Initialize the context with the specified ssl version
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_client_method);
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
if (enabledSslProtocols.HasFlag(SslProtocols.Ssl3) == false)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (enabledSslProtocols.HasFlag(SslProtocols.Tls10) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
if (enabledSslProtocols.HasFlag(SslProtocols.Tls11) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1_1;
}
if (enabledSslProtocols.HasFlag(SslProtocols.Tls12) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1_2;
}
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback);
// Set the enabled cipher list
sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (remoteCertificateSelectionCallback != null)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback);
}
// Set the CA list into the store
if (caCertificates != null)
{
X509Store store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
/// <summary>
///
/// </summary>
/// <param name="targetHost"></param>
/// <param name="certificates"></param>
/// <param name="caCertificates"></param>
/// <param name="enabledSslProtocols"></param>
/// <param name="sslStrength"></param>
/// <param name="checkCertificateRevocation"></param>
public virtual void AuthenticateAsClient(
string targetHost,
X509List certificates,
X509Chain caCertificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
EndAuthenticateAsClient(BeginAuthenticateAsClient(
targetHost,
certificates,
caCertificates,
enabledSslProtocols,
sslStrength,
checkCertificateRevocation,
null,
null));
}
private void InitializeServerContext(
DH dh,
SslProtocols enabledSslProtocols,
SslStrength sslStrength)
{
// Initialize the context
sslContext = new SslContext(SslMethod.SSLv23_server_method);
// Remove support for protocols not specified in the enabledSslProtocols
if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2)
{
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2;
}
if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 &&
((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default))
{
// no SSLv3 support
sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3;
}
if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls &&
(enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)
{
sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
// Set the cipher string
sslContext.SetCipherList("ADH");
sslContext.SetTmpDhCallback(dh);
}
