/// <summary> /// /// </summary> /// <param name="dh"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> public virtual void AuthenticateAsServer( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) { EndAuthenticateAsServer(BeginAuthenticateAsServer(dh, enabledSslProtocols, sslStrength, null, null)); }
public SslStreamServer( Stream stream, bool ownStream, X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, RemoteCertificateValidationHandler remote_callback) : base(stream, ownStream) { checkCertificateRevocationStatus = checkCertificateRevocation; remoteCertificateSelectionCallback = remote_callback; // Initialize the SslContext object InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation); // Initalize the Ssl object ssl = new Ssl(sslContext); sniCb = sniExt.ServerSniCb; sniExt.AttachSniExtensionServer(ssl.Handle, sslContext.Handle, sniCb); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
private void InitializeServerContext( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) { // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_server_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); // Set the cipher string sslContext.SetCipherList("ADH"); sslContext.SetTmpDhCallback(dh); }
/// <summary> /// /// </summary> /// <param name="targetHost"></param> /// <param name="clientCertificates"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsClient( string targetHost, X509List clientCertificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } End = ConnectionEnd.Client; // Create the stream var client_stream = new SslStreamClient(InnerStream, false, targetHost, clientCertificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback, localCertificateSelectionCallback); // set the internal stream sslStream = client_stream; // start the write operation return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState)); }
/// <summary> /// /// </summary> /// <param name="serverCertificate"></param> /// <param name="clientCertificateRequired"></param> /// <param name="caCerts"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsServer( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } End = ConnectionEnd.Server; // Initialize the server stream var server_stream = new SslStreamServer(InnerStream, false, serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback); // Set the internal sslStream sslStream = server_stream; // Start the read operation return(BeginRead(new byte[0], 0, 0, asyncCallback, asyncState)); }
public SslStreamServer( Stream stream, bool ownStream, X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, RemoteCertificateValidationHandler remote_callback) : base(stream, ownStream) { this.checkCertificateRevocationStatus = checkCertificateRevocation; this.remoteCertificateSelectionCallback = remote_callback; // Initialize the SslContext object InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation); ssl = new Ssl(sslContext); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
/// <summary> /// see https://www.openssl.org/docs/apps/ciphers.html /// for details about OpenSSL cipher string /// </summary> /// <returns>The string.</returns> /// <param name="sslProtocols">SSL protocols.</param> /// <param name="sslStrength">SSL strength.</param> public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength) { var parts = new List<string>(); if (EnumExtensions.HasFlag(sslStrength, SslStrength.High)) { parts.Add("HIGH"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium)) { parts.Add("MEDIUM"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low)) { parts.Add("LOW"); } if ((sslProtocols == SslProtocols.Default) || (sslProtocols == SslProtocols.Tls) || (sslProtocols == SslProtocols.Ssl3)) { parts.Add("!SSLv2"); } parts.Add("!ADH"); parts.Add("!aNULL"); parts.Add("!eNULL"); parts.Add("@STRENGTH"); return string.Join(":", parts.ToArray()); }
/// <summary> /// see https://www.openssl.org/docs/apps/ciphers.html /// for details about OpenSSL cipher string /// </summary> /// <returns>The string.</returns> /// <param name="sslProtocols">SSL protocols.</param> /// <param name="sslStrength">SSL strength.</param> public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength) { var parts = new List<string>(); if (EnumExtensions.HasFlag(sslStrength, SslStrength.High)) { parts.Add("HIGH"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium)) { parts.Add("MEDIUM"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low)) { parts.Add("LOW"); } if ((sslProtocols == SslProtocols.Default) || (sslProtocols == SslProtocols.Tls) || (sslProtocols == SslProtocols.Ssl3)) { parts.Add("!SSLv2"); } parts.Add("!ADH"); parts.Add("!aNULL"); parts.Add("!eNULL"); parts.Add("@STRENGTH"); return string.Join(":", parts.ToArray()); }
/// <summary> /// /// </summary> /// <param name="targetHost"></param> /// <param name="certificates"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> public virtual void AuthenticateAsClient( string targetHost, X509List certificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { EndAuthenticateAsClient(BeginAuthenticateAsClient(targetHost, certificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null)); }
/// <summary> /// /// </summary> /// <param name="serverCertificate"></param> /// <param name="clientCertificateRequired"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> public virtual void AuthenticateAsServer( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { EndAuthenticateAsServer(BeginAuthenticateAsServer(serverCertificate, clientCertificateRequired, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null)); }
internal string GetCipherString(bool FIPSmode, SslProtocols sslProtocols, SslStrength sslStrength) { string str = ""; if (FIPSmode || ((sslStrength & SslStrength.High) == SslStrength.High)) { str = "HIGH"; } if (FIPSmode || ((sslStrength & SslStrength.Medium) == SslStrength.Medium)) { if (String.IsNullOrEmpty(str)) { str = "MEDIUM"; } else { str += ":MEDIUM"; } } if (!FIPSmode && ((sslStrength & SslStrength.Low) == SslStrength.Low)) { if (String.IsNullOrEmpty(str)) { str = "LOW"; } else { str += ":LOW"; } } if ((sslProtocols == SslProtocols.Default) || (sslProtocols == SslProtocols.Tls) || (sslProtocols == SslProtocols.Ssl3)) { if (String.IsNullOrEmpty(str)) { str = "!SSLv2"; } else { str += ":!SSLv2"; } } if (FIPSmode) { str += ":AES:3DES:SHA:!DES:!MD5:!IDEA:!RC2:!RC4"; } // Now format the return string string cipherString = String.Format("{0}:!ADH:!aNULL:!eNULL:@STRENGTH", str); return(cipherString); }
protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with the specified ssl version // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_client_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the Local certificate selection callback sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback); // Set the enabled cipher list sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (remoteCertificateSelectionCallback != null) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } // Set the CA list into the store if (caCertificates != null) { X509Store store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
/// <summary> /// /// </summary> /// <param name="dh"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsServer( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } // Initialize the server stream SslAnonStreamServer server_stream = new SslAnonStreamServer(InnerStream, false, dh, enabledSslProtocols, sslStrength); // Set the internal sslStream sslStream = server_stream; // Start the read operation return(BeginRead(new byte[0], 0, 0, asyncCallback, asyncState)); }
public SslStreamClient(Stream stream, bool ownStream, string targetHost, X509List clientCertificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocationStatus, RemoteCertificateValidationHandler remoteCallback, LocalCertificateSelectionHandler localCallback) : base(stream, ownStream) { this.targetHost = targetHost; this.clientCertificates = clientCertificates; this.caCertificates = caCertificates; this.checkCertificateRevocationStatus = checkCertificateRevocationStatus; this.remoteCertificateSelectionCallback = remoteCallback; this.localCertificateSelectionCallback = localCallback; this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback); InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus); }
public SslStreamClient(Stream stream, bool ownStream, string targetHost, X509List clientCertificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocationStatus, RemoteCertificateValidationHandler remoteCallback, LocalCertificateSelectionHandler localCallback) : base(stream, ownStream) { this.targetHost = targetHost; this.clientCertificates = clientCertificates; this.caCertificates = caCertificates; this.checkCertificateRevocationStatus = checkCertificateRevocationStatus; this.remoteCertificateSelectionCallback = remoteCallback; this.localCertificateSelectionCallback = localCallback; this.internalCertificateSelectionCallback = new ClientCertCallbackHandler(InternalClientCertificateSelectionCallback); InitializeClientContext(clientCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocationStatus); }
public SslAnonStreamServer( Stream stream, bool ownStream, DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) : base(stream, ownStream) { // Initialize the SslContext object InitializeServerContext(dh, enabledSslProtocols, sslStrength); // Initalize the Ssl object ssl = new Ssl(sslContext); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
public SslAnonStreamServer( Stream stream, bool ownStream, DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) : base(stream, ownStream) { // Initialize the SslContext object InitializeServerContext(dh, enabledSslProtocols, sslStrength); // Initalize the Ssl object ssl = new Ssl(sslContext); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_server_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } /* * // Initialize the context with the specified ssl version * switch (enabledSslProtocols) * { * case SslProtocols.None: * throw new ArgumentException("SslProtocol.None is not supported", "enabledSslProtocols"); * break; * case SslProtocols.Ssl2: * sslContext = new SslContext(SslMethod.SSLv2_server_method); * break; * case SslProtocols.Ssl3: * case SslProtocols.Default: * sslContext = new SslContext(SslMethod.SSLv3_server_method); * break; * case SslProtocols.Tls: * sslContext = new SslContext(SslMethod.TLSv1_server_method); * break; * } */ // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the workaround options sslContext.Options = SslOptions.SSL_OP_ALL; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. X509Store cert_store = new X509Store(caCerts, false); sslContext.SetCertificateStore(cert_store); Core.Stack <X509Name> name_stack = new Core.Stack <X509Name>(); foreach (X509Certificate cert in caCerts) { X509Name subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); }
protected void InitializeClientContext( X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with specified TLS version sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] { Protocols.Http2, Protocols.Http1 }); var options = sslContext.Options; // Remove support for protocols not specified in the enabledSslProtocols if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2)) { options |= SslOptions.SSL_OP_NO_SSLv2; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3)) { options |= SslOptions.SSL_OP_NO_SSLv3; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls)) { options |= SslOptions.SSL_OP_NO_TLSv1; } sslContext.Options = options; // Set the Local certificate selection callback sslContext.SetClientCertCallback(OnClientCertificate); // Set the enabled cipher list sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (OnRemoteCertificate != null) { sslContext.SetVerify( VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate); } // Set the CA list into the store if (caCertificates != null) { var store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); sniCb = sniExt.ClientSniCb; sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context with specified TLS version sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] { Protocols.Http2, Protocols.Http1 }); var options = sslContext.Options; // Remove support for protocols not specified in the enabledSslProtocols if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2)) { options |= SslOptions.SSL_OP_NO_SSLv2; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3)) { options |= SslOptions.SSL_OP_NO_SSLv3; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls)) { options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the workaround options sslContext.Options = options | SslOptions.SSL_OP_ALL; // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. sslContext.SetCertificateStore(new X509Store(caCerts, false)); var name_stack = new Core.Stack <X509Name>(); foreach (var cert in caCerts) { var subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); }
protected void InitializeClientContext( X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with specified TLS version sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] { Protocols.Http2, Protocols.Http1 }); var options = sslContext.Options; // Remove support for protocols not specified in the enabledSslProtocols if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2)) { options |= SslOptions.SSL_OP_NO_SSLv2; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3)) { options |= SslOptions.SSL_OP_NO_SSLv3; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls)) { options |= SslOptions.SSL_OP_NO_TLSv1; } sslContext.Options = options; // Set the Local certificate selection callback sslContext.SetClientCertCallback(OnClientCertificate); // Set the enabled cipher list sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (OnRemoteCertificate != null) { sslContext.SetVerify( VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate); } // Set the CA list into the store if (caCertificates != null) { var store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); sniCb = sniExt.ClientSniCb; sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
/// <summary> /// /// </summary> /// <param name="serverCertificate"></param> /// <param name="clientCertificateRequired"></param> /// <param name="caCerts"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsServer( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } End = ConnectionEnd.Server; // Initialize the server stream var server_stream = new SslStreamServer( InnerStream, serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback); // Set the internal sslStream sslStream = server_stream; // Start the read operation return BeginRead(new byte[0], 0, 0, asyncCallback, asyncState); }
/// <summary> /// /// </summary> /// <param name="serverCertificate"></param> /// <param name="clientCertificateRequired"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> public virtual void AuthenticateAsServer( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { EndAuthenticateAsServer(BeginAuthenticateAsServer( serverCertificate, clientCertificateRequired, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null)); }
/// <summary> /// /// </summary> /// <param name="targetHost"></param> /// <param name="clientCertificates"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsClient( string targetHost, X509List clientCertificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } End = ConnectionEnd.Client; // Create the stream var client_stream = new SslStreamClient( InnerStream, targetHost, clientCertificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, remoteCertificateValidationCallback, localCertificateSelectionCallback); // set the internal stream sslStream = client_stream; // start the write operation return BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState); }
/// <summary> /// /// </summary> /// <param name="dh"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> public virtual void AuthenticateAsServer( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) { EndAuthenticateAsServer(BeginAuthenticateAsServer(dh, enabledSslProtocols, sslStrength, null, null)); }
/// <summary> /// /// </summary> /// <param name="dh"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="asyncCallback"></param> /// <param name="asyncState"></param> /// <returns></returns> public virtual IAsyncResult BeginAuthenticateAsServer( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength, AsyncCallback asyncCallback, Object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("SslStream is already authenticated"); } // Initialize the server stream SslAnonStreamServer server_stream = new SslAnonStreamServer(InnerStream, false, dh, enabledSslProtocols, sslStrength); // Set the internal sslStream sslStream = server_stream; // Start the read operation return BeginRead(new byte[0], 0, 0, asyncCallback, asyncState); }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context sslContext = new SslContext(SslMethod.TLSv1_server_method, ConnectionEnd.Server, true, new[] { Protocols.Http2, Protocols.Http1 }); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the workaround options sslContext.Options = SslOptions.SSL_OP_ALL; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. var cert_store = new X509Store(caCerts, false); sslContext.SetCertificateStore(cert_store); Stack<X509Name> name_stack = new Core.Stack<X509Name>(); foreach (X509Certificate cert in caCerts) { X509Name subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes("AppDomainHost: UnitTests12345678"/*AppDomain.CurrentDomain.FriendlyName*/)); }
internal string GetCipherString(bool FIPSmode, SslProtocols sslProtocols, SslStrength sslStrength) { string str = ""; if (FIPSmode || ((sslStrength & SslStrength.High) == SslStrength.High)) { str = "HIGH"; } if (FIPSmode || ((sslStrength & SslStrength.Medium) == SslStrength.Medium)) { if (String.IsNullOrEmpty(str)) { str = "MEDIUM"; } else { str += ":MEDIUM"; } } if (!FIPSmode && ((sslStrength & SslStrength.Low) == SslStrength.Low)) { if (String.IsNullOrEmpty(str)) { str = "LOW"; } else { str += ":LOW"; } } if ((sslProtocols == SslProtocols.Default) || (sslProtocols == SslProtocols.Tls) || (sslProtocols == SslProtocols.Ssl3)) { if (String.IsNullOrEmpty(str)) { str = "!SSLv2"; } else { str += ":!SSLv2"; } } if (FIPSmode) { str += ":AES:3DES:SHA:!DES:!MD5:!IDEA:!RC2:!RC4"; } // Now format the return string return String.Format("{0}:!ADH:!aNULL:!eNULL:@STRENGTH", str); }
protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with the specified ssl version // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_client_method); sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; if (enabledSslProtocols.HasFlag(SslProtocols.Ssl3) == false) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if (enabledSslProtocols.HasFlag(SslProtocols.Tls10) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } if (enabledSslProtocols.HasFlag(SslProtocols.Tls11) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1_1; } if (enabledSslProtocols.HasFlag(SslProtocols.Tls12) == false && enabledSslProtocols.HasFlag(SslProtocols.Default) == false) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1_2; } // Set the Local certificate selection callback sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback); // Set the enabled cipher list sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (remoteCertificateSelectionCallback != null) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } // Set the CA list into the store if (caCertificates != null) { X509Store store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
/// <summary> /// /// </summary> /// <param name="targetHost"></param> /// <param name="certificates"></param> /// <param name="caCertificates"></param> /// <param name="enabledSslProtocols"></param> /// <param name="sslStrength"></param> /// <param name="checkCertificateRevocation"></param> public virtual void AuthenticateAsClient( string targetHost, X509List certificates, X509Chain caCertificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { EndAuthenticateAsClient(BeginAuthenticateAsClient( targetHost, certificates, caCertificates, enabledSslProtocols, sslStrength, checkCertificateRevocation, null, null)); }
private void InitializeServerContext( DH dh, SslProtocols enabledSslProtocols, SslStrength sslStrength) { // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_server_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); // Set the cipher string sslContext.SetCipherList("ADH"); sslContext.SetTmpDhCallback(dh); }