public void OcspFromSelfSignedCertificate()
{
var caCertificate = CertificateProvider.GenerateCertificateAuthorityCertificate("Certificate Authority - Graham Miller");
var leafCertificate = CertificateProvider.GenerateSignedCertificateWithOcsp("Graham Miller", caCertificate);
WriteCertificateExtensions(leafCertificate);
}
public static IssuedCertificate RequestCertificate(AcmeClient client, CertificateProvider certProvider, string hostName, List <string> alternativeNames = null)
{
if (alternativeNames == null)
{
alternativeNames = new List <string>();
}
PrivateKey pk;
var csr = GenerateCSR(certProvider, hostName, alternativeNames, out pk);
var certRequest = client.RequestCertificate(JwsHelper.Base64UrlEncode(csr));
if (certRequest.StatusCode != HttpStatusCode.Created)
{
throw new CertificateApplicationException(certRequest, hostName, alternativeNames.ToArray());
}
Crt crt;
using (var ms = new MemoryStream())
{
certRequest.SaveCertificate(ms);
ms.Seek(0, SeekOrigin.Begin);
crt = certProvider.ImportCertificate(EncodingFormat.DER, ms);
}
var caCrt = GetCACertificate(certProvider, certRequest);
return(new IssuedCertificate {
PublicKey = crt, PrivateKey = pk, CAPublicKey = caCrt
});
}
public void SignAndVerifyData()
{
// create the certificates
var pfx = CertificateProvider.GenerateSelfSignedCertificate("Graham Miller");
Assert.That(pfx.HasPrivateKey, Is.True);
var cer = new X509Certificate2(pfx.Export(X509ContentType.Cert));
Assert.That(cer.HasPrivateKey, Is.False);
// sign data
var signer = (RSA)pfx.PrivateKey;
var signature = signer.SignData(Constants.PlainBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// verify data
var verifier = (RSA)cer.PublicKey.Key;
var isVerified = verifier.VerifyData(Constants.PlainBytes, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
Assert.That(isVerified, Is.True);
// don't verify tampered with data
isVerified = verifier.VerifyData(Constants.DifferentPlainBytes, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
Assert.That(isVerified, Is.False);
}
public void Test()
{
var provider = new CertificateProvider(@"C:\Program Files (x86)\Fiddler2\makecert.exe");
provider.EnsureRootCertificate();
var certificate = provider.GetCertificateForHost("www.test3.com");
}
static Crt GetCACertificate(CertificateProvider cp, CertificateRequest certRequest)
{
var links = new LinkCollection(certRequest.Links);
var upLink = links.GetFirstOrDefault("up");
var temporaryFileName = Path.GetTempFileName();
try
{
var uri = new Uri(new Uri(Program.GlobalConfiguration.AcmeServerBaseUri), upLink.Uri);
TheWebClient.DownloadFile(uri, temporaryFileName);
var cacert = new X509Certificate2(temporaryFileName);
var serverSN = cacert.GetSerialNumberString();
using (Stream source = new FileStream(temporaryFileName, FileMode.Open))
{
return(cp.ImportCertificate(EncodingFormat.DER, source));
}
}
finally
{
if (File.Exists(temporaryFileName))
{
File.Delete(temporaryFileName);
}
}
}
public void TestExportArchive()
{
using (var cp = CertificateProvider.GetProvider())
{
var testPk = "CertificateProviderTests.key.json";
var testCert = "CertificateProviderTests-Certificate.pem";
var testIcaCert = "CertificateProviderTests-ICA-Certificate.pem";
PrivateKey pk;
using (var s = new FileStream(testPk, FileMode.Open))
{
pk = cp.LoadPrivateKey(s);
}
Crt cert;
using (var s = new FileStream(testCert, FileMode.Open))
{
cert = cp.ImportCertificate(EncodingFormat.PEM, s);
}
Crt icaCert;
using (var s = new FileStream(testIcaCert, FileMode.Open))
{
icaCert = cp.ImportCertificate(EncodingFormat.PEM, s);
}
using (var s = new MemoryStream())
{
var certs = new[] { cert, icaCert };
cp.ExportArchive(pk, certs, ArchiveFormat.PKCS12, s);
}
}
}
async public static Task <ProxySslRequest> For(ProxyRequest wrapperRequest, IRequestInspector wrapperRequestInspector)
{
if (_certProvider == null)
{
_certProvider = new CertificateProvider(MakeCertPath);
_certProvider.EnsureRootCertificate();
}
var sslRequest = new ProxySslRequest
{
WrapperRequest = wrapperRequest,
ClientPid = wrapperRequest.ClientPid,
ClientSocket = wrapperRequest.ClientSocket,
ClientStream = wrapperRequest.ClientStream
};
if (wrapperRequestInspector != null)
{
wrapperRequestInspector.OnTransferredToSecureRequest(sslRequest);
}
var hostName = sslRequest.GetHostName();
sslRequest._hostCert = _certProvider.GetCertificateForHost(hostName);
var clientSsslStream = new SslStream(wrapperRequest.ClientStream, true, RemoteCertificateValidator, sslRequest.LocalCertificateSelector);
await clientSsslStream.AuthenticateAsServerAsync(sslRequest._hostCert);
sslRequest.SecureClientStream = clientSsslStream;
sslRequest.ReadPrologue();
return(sslRequest);
}
static void RetrieveCertificates(AcmeClient client, string api, string domain, string certificatesFolder, int certBits)
{
var cp = CertificateProvider.GetProvider();
var rsaPkp = new RsaPrivateKeyParams()
{
NumBits = certBits
};
var rsaKeys = cp.GeneratePrivateKey(rsaPkp);
var csrParams = new CsrParams
{
Details = new CsrDetails {
CommonName = domain
}
};
var derRaw = default(byte[]);
var csr = cp.GenerateCsr(csrParams, rsaKeys, Crt.MessageDigest.SHA256);
using (var bs = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, bs);
derRaw = bs.ToArray();
}
var derB64U = JwsHelper.Base64UrlEncode(derRaw);
var certRequ = client.RequestCertificate(derB64U);
if (certRequ.StatusCode == HttpStatusCode.Created)
{
GenerateCertFiles(cp, rsaKeys, csr, certRequ, certificatesFolder, domain);
}
}
public void TestInitialize()
{
this.env = new Mock <IAppPathProvider>();
this.env.SetupGet(t => t.AppPath).Returns(Environment.CurrentDirectory);
this.directory = new ActiveDirectory();
provider = new CertificateProvider(Mock.Of <ILogger <CertificateProvider> >(), directory, env.Object);
}
private static CertificateProvider GetCP()
{
CertificateProvider.RegisterProvider <ACMESharp.PKI.Providers.OpenSslCliProvider>();
//CertificateProvider.RegisterProvider<ACMESharp.PKI.Providers.CertEnrollProvider>();
return(CertificateProvider.GetProvider());
}
public void Should_use_assigned_certificate()
{
var provider = new CertificateProvider(ClientCert);
provider.Certificate.ShouldNotBeNull();
provider.Certificate.Thumbprint.ShouldBe(ClientCertThumbprint, StringCompareShould.IgnoreCase);
}
public void Ocsp()
{
var caCertificate = CertificateProvider.GenerateCertificateAuthorityCertificate("Certificate Authority - Graham Miller");
var leafCertificate = CertificateProvider.GenerateSignedCertificateWithOcsp("Graham Miller", caCertificate);
Verify(leafCertificate);
}
static byte[] GenerateCSR(CertificateProvider provider, string hostName, List <string> alternativeNames, out PrivateKey privateKey)
{
var csrDetails = new CsrDetails
{
CommonName = hostName
};
if (alternativeNames.Count > 0)
{
csrDetails.AlternativeNames = alternativeNames;
}
privateKey = provider.GeneratePrivateKey(new RsaPrivateKeyParams()
{
NumBits = Program.GlobalConfiguration.RSAKeyBits
});
var csr = provider.GenerateCsr(new CsrParams {
Details = csrDetails,
}, privateKey, Crt.MessageDigest.SHA256);
byte[] derRaw;
using (var bs = new MemoryStream())
{
provider.ExportCsr(csr, EncodingFormat.DER, bs);
bs.Seek(0, SeekOrigin.Begin);
derRaw = bs.ToArray();
}
return(derRaw);
}
public string GetIssuerCertificate(CertificateRequest certificate, CertificateProvider cp)
{
var linksEnum = certificate.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
var uri = new Uri(new Uri(this.baseURI), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
var cacertDerFile = Path.Combine(configPath, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(configPath, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
{
File.Copy(tmp, cacertDerFile, true);
}
Console.WriteLine($" Saving Issuer Certificate to {cacertPemFile}");
Trace.TraceInformation("Saving Issuer Certificate to {0}", cacertPemFile);
if (!File.Exists(cacertPemFile))
{
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
var caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
}
return(cacertPemFile);
}
finally
{
if (File.Exists(tmp))
{
File.Delete(tmp);
}
}
}
}
return(null);
}
static void ExportPem(CertificateProvider certProvider, IssuedCertificate certificate, string filePath)
{
using (var fileStream = File.Create(filePath))
{
certProvider.ExportCertificate(certificate.PublicKey, EncodingFormat.PEM, fileStream);
certProvider.ExportPrivateKey(certificate.PrivateKey, EncodingFormat.PEM, fileStream);
}
}
static string DownloadIssuerCertificate(CertificateProvider provider,
CertificateRequest request, string api, string certificatesFolder)
{
var linksEnum = request.Links;
var isuPemFile = string.Empty;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault(SERVER_UP_STRING);
if (upLink != null)
{
var temporaryFileName = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
var apiUri = new Uri(new Uri(api), upLink.Uri);
web.DownloadFile(apiUri, temporaryFileName);
}
var cacert = new X509Certificate2(temporaryFileName);
var sernum = cacert.GetSerialNumberString();
var cacertDerFile = Path.Combine(certificatesFolder, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(certificatesFolder, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
{
File.Copy(temporaryFileName, cacertDerFile, true);
}
if (!File.Exists(cacertPemFile))
{
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
var caCrt = provider.ImportCertificate(EncodingFormat.DER, source);
provider.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
}
isuPemFile = cacertPemFile;
}
finally
{
if (File.Exists(temporaryFileName))
{
File.Delete(temporaryFileName);
}
}
}
}
return(isuPemFile);
}
/// <summary>
/// Creates a new instance of an object.
/// </summary>
/// <param name="previous">Previous connection filter to apply.</param>
public TlsFilter(IConnectionFilter previous = null)
{
if (previous == null)
{
previous = new NoOpConnectionFilter();
}
this.Options = Service.Providers.Resolve <CertificateProvider>();
this.Previous = previous;
}
private void TestImportCertificate(EncodingFormat fmt, string filePath)
{
using (var cp = CertificateProvider.GetProvider())
{
using (var source = new FileStream(filePath, FileMode.Open))
{
var crt = cp.ImportCertificate(fmt, source);
}
}
}
private string GetIssuerCertificate(CertificateRequest certificate, CertificateProvider cp)
{
var linksEnum = certificate.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
var uri = new Uri(new Uri(acmeUri), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var cacertDerFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
{
File.Copy(tmp, cacertDerFile, true);
}
logger.Debug($"Saving Issuer Certificate to {cacertPemFile}");
if (!File.Exists(cacertPemFile))
{
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
var caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
}
return(cacertPemFile);
}
finally
{
if (File.Exists(tmp))
{
File.Delete(tmp);
}
}
}
}
return(null);
}
public static void GetCertificateUseCSR(CertificateGeneratorParam param)
{
if (param == null)
{
log.Info($" {nameof(param)} is null");
return;
}
var dnsIdentifier = DateTime.Now.ToString("yyyyMMddHHmmss");
var cp = CertificateProvider.GetProvider();
MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(param.csr));
var csr = cp.ImportCsr(EncodingFormat.PEM, ms);
ms.Dispose();
byte[] derRaw;
using (var bs = new MemoryStream())
{
cp.ExportCsr(csr, EncodingFormat.DER, bs);
derRaw = bs.ToArray();
}
var derB64u = JwsHelper.Base64UrlEncode(derRaw);
log.Info($"\nRequesting Certificate");
var certRequ = param.client.RequestCertificate(derB64u);
log.Info($" Request Status: {certRequ.StatusCode}");
if (certRequ.StatusCode == System.Net.HttpStatusCode.Created)
{
var csrPemFile = Path.Combine(param.path, $"{dnsIdentifier}-csr.pem");
var crtDerFile = Path.Combine(param.path, $"{dnsIdentifier}-crt.der");
var crtPemFile = Path.Combine(param.path, $"{dnsIdentifier}-crt.pem");
using (var fs = new FileStream(csrPemFile, FileMode.Create))
cp.ExportCsr(csr, EncodingFormat.PEM, fs);
log.Info($" Saving Certificate to {crtDerFile}");
using (var file = File.Create(crtDerFile))
certRequ.SaveCertificate(file);
Crt crt;
using (FileStream source = new FileStream(crtDerFile, FileMode.Open),
target = new FileStream(crtPemFile, FileMode.Create))
{
crt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(crt, EncodingFormat.PEM, target);
}
cp.Dispose();
return;
}
throw new Exception($"Request status = {certRequ.StatusCode}");
}
static void ExportPfx(CertificateProvider certProvider, IssuedCertificate certificate, string filePath)
{
using (var fileStream = File.Create(filePath))
{
certProvider.ExportArchive(
certificate.PrivateKey,
new[] { certificate.PublicKey, certificate.CAPublicKey },
ArchiveFormat.PKCS12,
fileStream);
}
}
private string GetIssuerCertificate(CertificateRequest certificate, CertificateProvider cp)
{
var linksEnum = certificate.Links;
if (linksEnum == null)
{
return(null);
}
LinkCollection links = new LinkCollection(linksEnum);
Link upLink = links.GetFirstOrDefault("up");
if (upLink == null)
{
return(null);
}
string temporaryFileName = Path.GetTempFileName();
try
{
using (WebClient web = new WebClient())
{
Uri uri = new Uri(new Uri(_options.BaseUri), upLink.Uri);
web.DownloadFile(uri, temporaryFileName);
}
X509Certificate2 cacert = new X509Certificate2(temporaryFileName);
string sernum = cacert.GetSerialNumberString();
string cacertDerFile = Path.Combine(_options.CertificateFolder, $"ca-{sernum}-crt.der");
string cacertPemFile = Path.Combine(_options.CertificateFolder, $"ca-{sernum}-crt.pem");
File.Copy(temporaryFileName, cacertDerFile, true);
Log.Information($"Saving Issuer Certificate to {cacertPemFile}");
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
Crt caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
return(cacertPemFile);
}
finally
{
if (File.Exists(temporaryFileName))
{
File.Delete(temporaryFileName);
}
}
}
/// <summary>
/// Get the certificate signing request
/// </summary>
/// <param name="cp"></param>
/// <param name="target"></param>
/// <param name="identifiers"></param>
/// <param name="rsaPk"></param>
/// <returns></returns>
private Csr GetCsr(CertificateProvider cp, List <string> identifiers, PrivateKey rsaPk)
{
var csr = cp.GenerateCsr(new CsrParams
{
Details = new CsrDetails()
{
CommonName = identifiers.FirstOrDefault(),
AlternativeNames = identifiers
}
}, rsaPk, Crt.MessageDigest.SHA256);
return(csr);
}
public static void Export(CertificateProvider certProvider, IssuedCertificate certificate, CertOutputType outType, string filePath)
{
switch (outType)
{
case CertOutputType.Pfx:
ExportPfx(certProvider, certificate, filePath);
break;
case CertOutputType.Pem:
ExportPem(certProvider, certificate, filePath);
break;
}
}
public IRestClient AddClientAuthentication(IRestClient client)
{
if (client.ClientCertificates == null)
{
client.ClientCertificates = new X509CertificateCollection();
}
var clientCertificate = CertificateProvider.GetCertificate(_certificate, _privateKey, _password);
client.ClientCertificates.Add(clientCertificate);
return(client);
}
private void RegisterDependencies(IServiceCollection services)
{
services.AddSimpleIdentityServerWebSite(opt =>
{
opt.IsHttpsAuthentication = true;
opt.IsCertificateSelfSigned = true;
opt.Certificate = CertificateProvider.Get();
opt.DockerApiUri = new Uri(_simpleIdentityServerOptions.DockerApiUrl);
});
var endPointConfiguration = new EndPointConfiguration(_simpleIdentityServerOptions.InstancePatternUrl);
services.AddInstance <IEndPointConfiguration>(endPointConfiguration);
services.AddSimpleIdentityServerEf(_simpleIdentityServerOptions.ConnectionString);
}
internal static X509Certificate2Collection GetClientCertificates(ConnectionParameters parameters)
{
if (parameters.ClientCertificate == null)
{
return(null);
}
var clientCertificateCollection = new X509Certificate2Collection();
var certificate = (X509Certificate2)CertificateProvider.GetCertificate(parameters.ClientCertificate);
clientCertificateCollection.Add(certificate);
return(clientCertificateCollection);
}
private void TestExportCertificate(EncodingFormat fmt, string filePath)
{
using (var cp = CertificateProvider.GetProvider())
{
using (var source = new FileStream(filePath, FileMode.Open))
{
var crt = cp.ImportCertificate(fmt, source);
using (var target = new MemoryStream())
{
cp.ExportCertificate(crt, fmt, target);
}
}
}
}
protected override void Initialize()
{
var endpoint = GetEndPoint();
if (!IPAddress.IsLoopback(endpoint.Address) && endpoint.Address != IPAddress.Any)
{
throw new InvalidOperationException();
}
string password;
var data = CertificateProvider.GetRawCertificateData(Certificate, out password);
openssl.SetCertificate(data, password);
openssl.Bind(endpoint);
}
/// <summary>
/// Get the certificate signing request
/// </summary>
/// <param name="cp"></param>
/// <param name="target"></param>
/// <param name="identifiers"></param>
/// <param name="rsaPk"></param>
/// <returns></returns>
private Csr GetCsr(CertificateProvider cp, List<string> identifiers, PrivateKey rsaPk, string commonName = null)
{
if (commonName != null && !identifiers.Contains(commonName, StringComparer.InvariantCultureIgnoreCase))
{
_log.Warning($"{nameof(commonName)} '{commonName}' provided for CSR generation is invalid. It has to be part of the {nameof(identifiers)}.");
commonName = null;
}
var csr = cp.GenerateCsr(new CsrParams
{
Details = new CsrDetails()
{
CommonName = commonName ?? identifiers.FirstOrDefault(),
AlternativeNames = identifiers
}
}, rsaPk, Crt.MessageDigest.SHA256);
return csr;
}
public static string GetIssuerCertificate(CertificateRequest certificate, CertificateProvider cp)
{
var linksEnum = certificate.Links;
if (linksEnum != null)
{
var links = new LinkCollection(linksEnum);
var upLink = links.GetFirstOrDefault("up");
if (upLink != null)
{
var tmp = Path.GetTempFileName();
try
{
using (var web = new WebClient())
{
var uri = new Uri(new Uri(BaseURI), upLink.Uri);
web.DownloadFile(uri, tmp);
}
var cacert = new X509Certificate2(tmp);
var sernum = cacert.GetSerialNumberString();
var tprint = cacert.Thumbprint;
var sigalg = cacert.SignatureAlgorithm?.FriendlyName;
var sigval = cacert.GetCertHashString();
var cacertDerFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.der");
var cacertPemFile = Path.Combine(certificatePath, $"ca-{sernum}-crt.pem");
if (!File.Exists(cacertDerFile))
File.Copy(tmp, cacertDerFile, true);
Console.WriteLine($" Saving Issuer Certificate to {cacertPemFile}");
Log.Information("Saving Issuer Certificate to {cacertPemFile}", cacertPemFile);
if (!File.Exists(cacertPemFile))
using (FileStream source = new FileStream(cacertDerFile, FileMode.Open),
target = new FileStream(cacertPemFile, FileMode.Create))
{
var caCrt = cp.ImportCertificate(EncodingFormat.DER, source);
cp.ExportCertificate(caCrt, EncodingFormat.PEM, target);
}
return cacertPemFile;
}
finally
{
if (File.Exists(tmp))
File.Delete(tmp);
}
}
}
return null;
}
private static void HandleSslConnect(ConnectToRemoteState state)
{
var connectStreamWriter = new StreamWriter(state.ClientStream);
connectStreamWriter.WriteLine("HTTP/1.0 200 Connection established");
connectStreamWriter.WriteLine("Timestamp: {0}", DateTime.Now);
connectStreamWriter.WriteLine("Proxy-agent: GOS Proxy Service");
connectStreamWriter.WriteLine();
connectStreamWriter.Flush();
var sslStream = new SslStream(state.ClientStream, false);
try
{
var certProvider = new CertificateProvider();
bool created;
var certificate = certProvider.LoadOrCreateCertificate(state.RemoteHost, out created);
sslStream.AuthenticateAsServer(certificate, false, SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2, true);
}
catch (Exception ex)
{
WriteLog(state.Session, 0, "ERR", ex.Message);
sslStream.Close();
state.ClientStream.Close();
connectStreamWriter.Close();
return;
}
var nstate = new ClientConnectionState
{
Session = state.Session,
Client = state.Client,
ClientStream = sslStream,
ClientStreamBase = (NetworkStream)state.ClientStream,
Buffer = new byte[Globals.BufferSize],
MessageStream = new MemoryStream(),
IsSsl = true,
};
try
{
sslStream.BeginRead(nstate.Buffer, 0, nstate.Buffer.Length, ReadFromClient.Run, nstate);
}
catch (Exception ex)
{
WriteLog(state.Session, 0, "ERR", ex.Message);
sslStream.Close();
state.ClientStream.Close();
}
}
