public static void ThrowOnNotAllowed(SslProtocols protocols, bool allowNone = true) { if ((!allowNone && (protocols == SslProtocols.None)) || ((protocols & ~AllowedSecurityProtocols) != 0)) { throw new NotSupportedException(SR.net_securityprotocolnotsupported); } }
internal SecureChannel(string hostname, bool serverMode, SslProtocols sslProtocols, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate) { GlobalLog.Enter("SecureChannel#" + Logging.HashString(this) + "::.ctor", "hostname:" + hostname + " #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo))); if (Logging.On) { Logging.PrintInfo(Logging.Web, this, ".ctor", "hostname=" + hostname + ", #clientCertificates=" + ((clientCertificates == null) ? "0" : clientCertificates.Count.ToString(NumberFormatInfo.InvariantInfo)) + ", encryptionPolicy=" + encryptionPolicy); } SSPIWrapper.VerifyPackageInfo(GlobalSSPI.SSPISecureChannel); _destination = hostname; GlobalLog.Assert(hostname != null, "SecureChannel#{0}::.ctor()|hostname == null", Logging.HashString(this)); _hostName = hostname; _serverMode = serverMode; _sslProtocols = sslProtocols; _serverCertificate = serverCertificate; _clientCertificates = clientCertificates; _remoteCertRequired = remoteCertRequired; _securityContext = null; _checkCertRevocation = checkCertRevocationStatus; _checkCertName = checkCertName; _certSelectionDelegate = certSelectionDelegate; _refreshCredentialNeeded = true; _encryptionPolicy = encryptionPolicy; GlobalLog.Leave("SecureChannel#" + Logging.HashString(this) + "::.ctor"); }
/// <summary> /// Initializes a new instance of the <see cref="SecureHttpContext"/> class. /// </summary> /// <param name="protocols">SSL protocol to use.</param> /// <param name="socket">The socket.</param> /// <param name="context">The context.</param> /// <param name="certificate">Server certificate to use.</param> public SecureHttpContext(X509Certificate certificate, SslProtocols protocols, Socket socket, MessageFactoryContext context) : base(socket, context) { _certificate = certificate; Protocol = protocols; }
public SslTransportFactory(X509Certificate certificate, SslProtocols protocols, ILayerFactory next, bool clientCertificateRequired) { _certificate = certificate; _protocols = protocols; _clientCertificateRequired = clientCertificateRequired; _next = next; }
public HttpsTestServer(X509Certificate serverCertificate, SslProtocols acceptedProtocols = SslProtocols.Tls) { _serverCertificate = serverCertificate; _protocols = acceptedProtocols; _log = VerboseTestLogging.GetInstance(); AuxRecordDetected = false; }
public SslStreamServer( Stream stream, bool ownStream, X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation, RemoteCertificateValidationHandler remote_callback) : base(stream, ownStream) { this.checkCertificateRevocationStatus = checkCertificateRevocation; this.remoteCertificateSelectionCallback = remote_callback; // Initialize the SslContext object InitializeServerContext(serverCertificate, clientCertificateRequired, caCerts, enabledSslProtocols, sslStrength, checkCertificateRevocation); ssl = new Ssl(sslContext); // Initialze the read/write bio read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); // Set the read/write bio's into the the Ssl object ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into server mode ssl.SetAcceptState(); }
public SecureTcpServer(int listenPort, X509Certificate serverCertificate, SecureConnectionResultsCallback callback, RemoteCertificateValidationCallback certValidationCallback) { if (listenPort < 0 || listenPort > UInt16.MaxValue) throw new ArgumentOutOfRangeException("listenPort"); if (serverCertificate == null) throw new ArgumentNullException("serverCertificate"); if (callback == null) throw new ArgumentNullException("callback"); onAcceptConnection = new AsyncCallback(OnAcceptConnection); onAuthenticateAsServer = new AsyncCallback(OnAuthenticateAsServer); this.serverCert = serverCertificate; this.certValidationCallback = certValidationCallback; this.connectionCallback = callback; this.listenPort = listenPort; this.disposed = 0; this.checkCertifcateRevocation = false; this.clientCertificateRequired = false; this.sslProtocols = SslProtocols.Default; }
internal SecureChannel(string hostname, bool serverMode, SslProtocols sslProtocols, X509Certificate serverCertificate, X509CertificateCollection clientCertificates, bool remoteCertRequired, bool checkCertName, bool checkCertRevocationStatus, EncryptionPolicy encryptionPolicy, LocalCertSelectionCallback certSelectionDelegate) { if (NetEventSource.IsEnabled) { NetEventSource.Enter(this, hostname, clientCertificates); NetEventSource.Log.SecureChannelCtor(this, hostname, clientCertificates, encryptionPolicy); } SslStreamPal.VerifyPackageInfo(); _destination = hostname; if (hostname == null) { NetEventSource.Fail(this, "hostname == null"); } _hostName = hostname; _serverMode = serverMode; _sslProtocols = sslProtocols; _serverCertificate = serverCertificate; _clientCertificates = clientCertificates; _remoteCertRequired = remoteCertRequired; _securityContext = null; _checkCertRevocation = checkCertRevocationStatus; _checkCertName = checkCertName; _certSelectionDelegate = certSelectionDelegate; _refreshCredentialNeeded = true; _encryptionPolicy = encryptionPolicy; if (NetEventSource.IsEnabled) NetEventSource.Exit(this); }
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { this._SslState.ValidateCreateContext(false, targetHost, enabledSslProtocols, null, clientCertificates, true, checkCertificateRevocation); LazyAsyncResult lazyResult = new LazyAsyncResult(this._SslState, asyncState, asyncCallback); this._SslState.ProcessAuthentication(lazyResult); return lazyResult; }
/// <summary> /// Initializes a new instance of the <see cref="HttpListenerBase"/> class. /// </summary> /// <param name="address">IP Address to accept connections on</param> /// <param name="port">TCP Port to listen on, default HTTPS port is 443</param> /// <param name="factory">Factory used to create <see cref="IHttpClientContext"/>es.</param> /// <param name="certificate">Certificate to use</param> /// <param name="protocol">which HTTPS protocol to use, default is TLS.</param> protected HttpListenerBase( IPAddress address, int port, IHttpContextFactory factory, X509Certificate certificate, SslProtocols protocol) : this(address, port, factory, certificate) { _sslProtocol = protocol; }
public SafeFreeCredentials(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy) : base(IntPtr.Zero, true) { Debug.Assert( certificate == null || certificate is X509Certificate2, "Only X509Certificate2 certificates are supported at this time"); X509Certificate2 cert = (X509Certificate2)certificate; if (cert != null) { Debug.Assert(cert.HasPrivateKey, "cert.HasPrivateKey"); using (RSAOpenSsl rsa = (RSAOpenSsl)cert.GetRSAPrivateKey()) { if (rsa != null) { _certKeyHandle = rsa.DuplicateKeyHandle(); Interop.libcrypto.CheckValidOpenSslHandle(_certKeyHandle); } } // TODO (3390): Add support for ECDSA. Debug.Assert(_certKeyHandle != null, "Failed to extract a private key handle"); _certHandle = Interop.libcrypto.X509_dup(cert.Handle); Interop.libcrypto.CheckValidOpenSslHandle(_certHandle); } _protocols = protocols; _policy = policy; }
public TTlsServerSocketTransport( int port, bool useBufferedSockets, X509Certificate2 certificate, RemoteCertificateValidationCallback clientCertValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, SslProtocols sslProtocols = SslProtocols.Tls12) { if (!certificate.HasPrivateKey) { throw new TTransportException(TTransportException.ExceptionType.Unknown, "Your server-certificate needs to have a private key"); } _port = port; _serverCertificate = certificate; _useBufferedSockets = useBufferedSockets; _clientCertValidator = clientCertValidator; _localCertificateSelectionCallback = localCertificateSelectionCallback; _sslProtocols = sslProtocols; try { // Create server socket _server = new TcpListener(IPAddress.Any, _port); _server.Server.NoDelay = true; } catch (Exception) { _server = null; throw new TTransportException($"Could not create ServerSocket on port {port}."); } }
public SslServer(X509Certificate2 cert, bool certRequired, SslProtocols enabledProt, bool expectedExcep) { certificate = cert; clientCertificateRequired = certRequired; enabledSslProtocols = enabledProt; expectedException = expectedExcep; if (!certificate.HasPrivateKey) { Console.WriteLine("ERROR: The cerfiticate does not have a private key."); throw new Exception("No Private Key in the certificate file"); } //Get the IPV4 address on this machine which is all that the MF devices support. foreach (IPAddress address in Dns.GetHostAddresses(Dns.GetHostName())) { if (address.AddressFamily == AddressFamily.InterNetwork) { ipAddress = address; break; } } if (ipAddress == null) throw new Exception("No IPV4 address found."); //Console.WriteLine("ipAddress is: " + ipAddress.ToString()); //Console.WriteLine("port is: " + port.ToString()); }
/// <summary> /// see https://www.openssl.org/docs/apps/ciphers.html /// for details about OpenSSL cipher string /// </summary> /// <returns>The string.</returns> /// <param name="sslProtocols">SSL protocols.</param> /// <param name="sslStrength">SSL strength.</param> public static string MakeString(SslProtocols sslProtocols, SslStrength sslStrength) { var parts = new List<string>(); if (EnumExtensions.HasFlag(sslStrength, SslStrength.High)) { parts.Add("HIGH"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Medium)) { parts.Add("MEDIUM"); } if (EnumExtensions.HasFlag(sslStrength, SslStrength.Low)) { parts.Add("LOW"); } if ((sslProtocols == SslProtocols.Default) || (sslProtocols == SslProtocols.Tls) || (sslProtocols == SslProtocols.Ssl3)) { parts.Add("!SSLv2"); } parts.Add("!ADH"); parts.Add("!aNULL"); parts.Add("!eNULL"); parts.Add("@STRENGTH"); return string.Join(":", parts.ToArray()); }
public async Task ClientAsyncAuthenticate_MismatchProtocols_Fails( SslProtocols serverProtocol, SslProtocols clientProtocol, Type expectedException) { await Assert.ThrowsAsync(expectedException, () => ClientAsyncSslHelper(serverProtocol, clientProtocol)); }
public AsyncStreamSocketSession(Socket client, SslProtocols security, IPool<BufferState> bufferStatePool, bool isReset) : base(client) { SecureProtocol = security; m_BufferStatePool = bufferStatePool; m_IsReset = isReset; }
public async Task ClientAsyncAuthenticate_EachClientUnsupportedProtocol_Fail(SslProtocols protocol) { await Assert.ThrowsAsync<NotSupportedException>(() => { return ClientAsyncSslHelper(protocol, SslProtocolSupport.SupportedSslProtocols); }); }
public TcpTransportSecurity() { this.clientCredentialType = DefaultClientCredentialType; this.protectionLevel = DefaultProtectionLevel; this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy; this.sslProtocols = TransportDefaults.SslProtocols; }
#pragma warning restore 0618 public void DisabledProtocols_SetSslProtocols_ThrowsException(SslProtocols disabledProtocols) { using (var handler = new HttpClientHandler()) { Assert.Throws<NotSupportedException>(() => handler.SslProtocols = disabledProtocols); } }
public ImapClient(string host, int port, SslProtocols sslProtocol = SslProtocols.None, bool validateServerCertificate = true) : this() { Host = host; Port = port; SslProtocol = sslProtocol; ValidateServerCertificate = validateServerCertificate; }
public void SetGetProtocols_Roundtrips(SslProtocols protocols) { using (var handler = new HttpClientHandler()) { handler.SslProtocols = protocols; Assert.Equal(protocols, handler.SslProtocols); } }
public DataConnection(FtpSession session, Socket listenSocket, int port) { m_Session = session; m_Address = session.Config.Ip; SecureProtocol = session.Context.DataSecureProtocol; m_Listener = listenSocket; m_Port = port; }
/// <summary> /// Initializes a new instance of the <see cref="HttpListenerBase"/> class. /// </summary> /// <param name="address">IP Address to accept connections on</param> /// <param name="port">TCP Port to listen on, default HTTPS port is 443</param> /// <param name="factory">Factory used to create <see cref="IHttpClientContext"/>es.</param> /// <param name="certificate">Certificate to use</param> /// <param name="protocol">which HTTPS protocol to use, default is TLS.</param> /// <param name="requireClientCerts">True to require SSL client certificates</param> protected HttpListenerBase(IPAddress address, int port, IHttpContextFactory factory, X509Certificate certificate, SslProtocols protocol, bool requireClientCerts) : this(address, port, factory) { _certificate = certificate; _requireClientCerts = requireClientCerts; _sslProtocol = protocol; }
public SslTransportHandler(ITransportLayerHandler next, X509Certificate serverCertificate, SslProtocols protocols) { _protocols = protocols; _next = next; _serverCertificate = serverCertificate; _inputStream = new InputStream(this); next.Callback = this; }
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, bool isServer, bool remoteCertRequired) { SafeSslHandle context = null; IntPtr method = GetSslMethod(protocols); using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(method)) { if (innerContext.IsInvalid) { throw CreateSslException(SR.net_allocate_ssl_context_failed); } // Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just // create the handle, it's rooted by the using, no one else has a reference to it, etc. Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols); // The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet // shutdown (we aren't negotiating for session close to enable later session // restoration). // // If you find yourself wanting to remove this line to enable bidirectional // close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect(). // https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html Ssl.SslCtxSetQuietShutdown(innerContext); if (!Ssl.SetEncryptionPolicy(innerContext, policy)) { throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy)); } if (certHandle != null && certKeyHandle != null) { SetSslCertificate(innerContext, certHandle, certKeyHandle); } if (remoteCertRequired) { Debug.Assert(isServer, "isServer flag should be true"); Ssl.SslCtxSetVerify(innerContext, s_verifyClientCertificate); //update the client CA list UpdateCAListFromRootStore(innerContext); } context = SafeSslHandle.Create(innerContext, isServer); Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create"); if (context.IsInvalid) { context.Dispose(); throw CreateSslException(SR.net_allocate_ssl_context_failed); } } return context; }
public WebSocket(string uri, string subProtocol = "", List<KeyValuePair<string, string>> cookies = null, List<KeyValuePair<string, string>> customHeaderItems = null, string userAgent = "", string origin = "", WebSocketVersion version = WebSocketVersion.None, EndPoint httpConnectProxy = null, SslProtocols sslProtocols = SslProtocols.None) { #if !NETFX_CORE if (sslProtocols != SslProtocols.None) m_SecureProtocols = sslProtocols; #endif Initialize(uri, subProtocol, cookies, customHeaderItems, userAgent, origin, version, httpConnectProxy); }
public virtual void AuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { if (!ComNetOS.IsWin2K) { throw new PlatformNotSupportedException(SR.GetString("Win2000Required")); } this._SslState.ValidateCreateContext(true, string.Empty, enabledSslProtocols, serverCertificate, null, clientCertificateRequired, checkCertificateRevocation); this._SslState.ProcessAuthentication(null); }
public async Task ServerAsyncAuthenticate_EachServerUnsupportedProtocol_Fail(SslProtocols protocol) { await Assert.ThrowsAsync<NotSupportedException>(() => { return ServerAsyncSslHelper( SslProtocolSupport.SupportedSslProtocols, protocol, expectedToFail: true); }); }
public async Task GetAsync_AllowedSSLVersion_Succeeds(SslProtocols acceptedProtocol, string url) { using (var handler = new HttpClientHandler()) using (var client = new HttpClient(handler)) { handler.SslProtocols = acceptedProtocol; using (await client.GetAsync(url)) { } } }
/// <summary> /// Constructor, for client side. /// </summary> /// <param name="targetHost"> /// a string that indicates the name of the server that shares the SSL. /// </param> /// <param name="certificate"> /// a X509Certificate that specifies the certificate used to authenticate the client. /// </param> /// <param name="enabledSslProtocols"> /// the SslProtocols value that represents the protocol used for authentication. /// </param> /// <exception cref="ArgumentNullException"> /// thrown when targetHost is null /// </exception> public ClientSslProvider(string targetHost, X509Certificate certificate, SslProtocols enabledSslProtocols) : base(certificate, enabledSslProtocols) { if (targetHost == null) { throw new ArgumentNullException("targetHost"); } this.targetHost = targetHost; }
// // The app is calling this method after starting an SSL handshake. // // ATTN: The thumbPrint must be from inspected and possibly cloned user Cert object or we get a security hole in SslCredKey ctor. // internal static void CacheCredential(SafeFreeCredentials creds, byte[] thumbPrint, SslProtocols sslProtocols, bool isServer, EncryptionPolicy encryptionPolicy) { GlobalLog.Assert(creds != null, "CacheCredential|creds == null"); if (creds.IsInvalid) { GlobalLog.Print("CacheCredential() Refused to cache an Invalid Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count); return; } object key = new SslCredKey(thumbPrint, (int)sslProtocols, isServer, encryptionPolicy); SafeCredentialReference cached = s_CachedCreds[key] as SafeCredentialReference; if (cached == null || cached.IsClosed || cached.Target.IsInvalid) { lock (s_CachedCreds) { cached = s_CachedCreds[key] as SafeCredentialReference; if (cached == null || cached.IsClosed) { cached = SafeCredentialReference.CreateReference(creds); if (cached == null) { // Means the handle got closed in between, return it back and let caller deal with the issue. return; } s_CachedCreds[key] = cached; GlobalLog.Print("CacheCredential() Caching New Handle = " + creds.ToString() + ", Current Cache Count = " + s_CachedCreds.Count); // // A simplest way of preventing infinite cache grows. // // Security relief (DoS): // A number of active creds is never greater than a number of _outstanding_ // security sessions, i.e. SSL connections. // So we will try to shrink cache to the number of active creds once in a while. // // We won't shrink cache in the case when NO new handles are coming to it. // if ((s_CachedCreds.Count % CheckExpiredModulo) == 0) { DictionaryEntry[] toRemoveAttempt = new DictionaryEntry[s_CachedCreds.Count]; s_CachedCreds.CopyTo(toRemoveAttempt, 0); for (int i = 0; i < toRemoveAttempt.Length; ++i) { cached = toRemoveAttempt[i].Value as SafeCredentialReference; if (cached != null) { creds = cached.Target; cached.Dispose(); if (!creds.IsClosed && !creds.IsInvalid && (cached = SafeCredentialReference.CreateReference(creds)) != null) { s_CachedCreds[toRemoveAttempt[i].Key] = cached; } else { s_CachedCreds.Remove(toRemoveAttempt[i].Key); } } } GlobalLog.Print("Scavenged cache, New Cache Count = " + s_CachedCreds.Count); } } else { GlobalLog.Print("CacheCredential() (locked retry) Found already cached Handle = " + cached.Target.ToString()); } } } else { GlobalLog.Print("CacheCredential() Ignoring incoming handle = " + creds.ToString() + " since found already cached Handle = " + cached.Target.ToString()); } }
/// <summary> /// Activates SSL on this stream using the specified protocols. Fires the ValidateCertificate event. /// If this event is not handled and there are SslPolicyErrors present, the certificate will /// not be accepted. /// </summary> /// <param name="targethost">The host to authenticate the certificate against</param> /// <param name="clientCerts">A collection of client certificates to use when authenticating the SSL stream</param> /// <param name="sslProtocols">A bitwise parameter for supported encryption protocols.</param> /// <exception cref="AuthenticationException">Thrown when authentication fails</exception> public async Task ActivateEncryptionAsync(string targethost, X509CertificateCollection clientCerts, SslProtocols sslProtocols) { if (!IsConnected) { throw new InvalidOperationException("The FtpSocketStream object is not connected."); } if (m_netStream == null) { throw new InvalidOperationException("The base network stream is null."); } if (m_sslStream != null) { throw new InvalidOperationException("SSL Encryption has already been enabled on this stream."); } try { DateTime auth_start; TimeSpan auth_time_total; #if CORE m_sslStream = new SslStream(NetworkStream, true, new RemoteCertificateValidationCallback( delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(OnValidateCertificate(certificate, chain, sslPolicyErrors)); } )); #else m_sslStream = new FtpSslStream(NetworkStream, true, new RemoteCertificateValidationCallback( delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return(OnValidateCertificate(certificate, chain, sslPolicyErrors)); } )); #endif auth_start = DateTime.Now; await m_sslStream.AuthenticateAsClientAsync(targethost, clientCerts, sslProtocols, true); auth_time_total = DateTime.Now.Subtract(auth_start); FtpTrace.WriteStatus(FtpTraceLevel.Info, "FTPS Authentication Successful"); FtpTrace.WriteStatus(FtpTraceLevel.Verbose, "Time to activate encryption: " + auth_time_total.Hours + "h " + auth_time_total.Minutes + "m " + auth_time_total.Seconds + "s. Total Seconds: " + auth_time_total.TotalSeconds + "."); } catch (AuthenticationException) { // authentication failed and in addition it left our // ssl stream in an unusable state so cleanup needs // to be done and the exception can be re-thrown for // handling down the chain. (Add logging?) Close(); FtpTrace.WriteStatus(FtpTraceLevel.Error, "FTPS Authentication Failed"); throw; } }
public virtual IAsyncResult BeginAuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("This SslStream is already authenticated"); } SslClientStream s = new SslClientStream(InnerStream, targetHost, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols), clientCertificates); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string host) { string hash = cert.GetCertHashString(); // ... so, we cannot use the delegate argument. foreach (X509Certificate cc in clientCertificates) { if (cc.GetCertHashString() != hash) { continue; } X509Certificate2 cert2 = cc as X509Certificate2; cert2 = cert2 ?? new X509Certificate2(cc); return(cert2.PrivateKey); } return(null); }; #if MONOTOUCH || MONODROID // Even if validation_callback is null this allows us to verify requests where the user // does not provide a verification callback but attempts to authenticate with the website // as a client (see https://bugzilla.xamarin.com/show_bug.cgi?id=18962 for an example) var helper = new ServicePointManager.ChainValidationHelper(this, targetHost); helper.ServerCertificateValidationCallback = validation_callback; s.ServerCertValidation2 += new CertificateValidationCallback2(helper.ValidateChain); #else if (validation_callback != null) { s.ServerCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) { X509Chain chain = new X509Chain(); X509Certificate2 x2 = (cert as X509Certificate2); if (x2 == null) { x2 = new X509Certificate2(cert); } if (!ServicePointManager.CheckCertificateRevocationList) { chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; } // SSL specific checks (done by Mono.Security.dll SSL/TLS implementation) SslPolicyErrors errors = SslPolicyErrors.None; foreach (int i in certErrors) { switch (i) { case -2146762490: // CERT_E_PURPOSE errors |= SslPolicyErrors.RemoteCertificateNotAvailable; break; case -2146762481: // CERT_E_CN_NO_MATCH errors |= SslPolicyErrors.RemoteCertificateNameMismatch; break; default: errors |= SslPolicyErrors.RemoteCertificateChainErrors; break; } } chain.Build(x2); // non-SSL specific X509 checks (i.e. RFC3280 related checks) foreach (X509ChainStatus status in chain.ChainStatus) { if (status.Status == X509ChainStatusFlags.NoError) { continue; } if ((status.Status & X509ChainStatusFlags.PartialChain) != 0) { errors |= SslPolicyErrors.RemoteCertificateNotAvailable; } else { errors |= SslPolicyErrors.RemoteCertificateChainErrors; } } return(validation_callback(this, cert, chain, errors)); }; } #endif if (selection_callback != null) { s.ClientCertSelectionDelegate = OnCertificateSelection; } ssl_stream = s; return(BeginWrite(new byte [0], 0, 0, asyncCallback, asyncState)); }
public virtual void AuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { EndAuthenticateAsServer(BeginAuthenticateAsServer( serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation, null, null)); }
// This essentially wraps SSL_CTX* aka SSL_CTX_new + setting internal static SafeSslContextHandle AllocateSslContext(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions, SslProtocols protocols, bool enableResume) { SafeX509Handle? certHandle = credential.CertHandle; SafeEvpPKeyHandle?certKeyHandle = credential.CertKeyHandle; // Always use SSLv23_method, regardless of protocols. It supports negotiating to the highest // mutually supported version and can thus handle any of the set protocols, and we then use // SetProtocolOptions to ensure we only allow the ones requested. SafeSslContextHandle sslCtx = Ssl.SslCtxCreate(Ssl.SslMethods.SSLv23_method); try { if (sslCtx.IsInvalid) { throw CreateSslException(SR.net_allocate_ssl_context_failed); } Ssl.SslCtxSetProtocolOptions(sslCtx, protocols); if (sslAuthenticationOptions.EncryptionPolicy != EncryptionPolicy.RequireEncryption) { // Sets policy and security level if (!Ssl.SetEncryptionPolicy(sslCtx, sslAuthenticationOptions.EncryptionPolicy)) { throw new SslException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, sslAuthenticationOptions.EncryptionPolicy)); } } byte[]? cipherList = CipherSuitesPolicyPal.GetOpenSslCipherList(sslAuthenticationOptions.CipherSuitesPolicy, protocols, sslAuthenticationOptions.EncryptionPolicy); Debug.Assert(cipherList == null || (cipherList.Length >= 1 && cipherList[cipherList.Length - 1] == 0)); byte[]? cipherSuites = CipherSuitesPolicyPal.GetOpenSslCipherSuites(sslAuthenticationOptions.CipherSuitesPolicy, protocols, sslAuthenticationOptions.EncryptionPolicy); Debug.Assert(cipherSuites == null || (cipherSuites.Length >= 1 && cipherSuites[cipherSuites.Length - 1] == 0)); unsafe { fixed(byte *cipherListStr = cipherList) fixed(byte *cipherSuitesStr = cipherSuites) { if (!Ssl.SslCtxSetCiphers(sslCtx, cipherListStr, cipherSuitesStr)) { Crypto.ErrClearError(); throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, sslAuthenticationOptions.EncryptionPolicy)); } } } // The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet // shutdown (we aren't negotiating for session close to enable later session // restoration). // // If you find yourself wanting to remove this line to enable bidirectional // close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect(). // https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html Ssl.SslCtxSetQuietShutdown(sslCtx); Ssl.SslCtxSetCaching(sslCtx, enableResume ? 1 : 0); if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0) { unsafe { Interop.Ssl.SslCtxSetAlpnSelectCb(sslCtx, &AlpnServerSelectCallback, IntPtr.Zero); } } bool hasCertificateAndKey = certHandle != null && !certHandle.IsInvalid && certKeyHandle != null && !certKeyHandle.IsInvalid; if (hasCertificateAndKey) { SetSslCertificate(sslCtx, certHandle !, certKeyHandle !); } if (sslAuthenticationOptions.CertificateContext != null && sslAuthenticationOptions.CertificateContext.IntermediateCertificates.Length > 0) { if (!Ssl.AddExtraChainCertificates(sslCtx, sslAuthenticationOptions.CertificateContext.IntermediateCertificates)) { throw CreateSslException(SR.net_ssl_use_cert_failed); } } } catch { sslCtx.Dispose(); throw; } return(sslCtx); }
public DependencyManager(IConfigurationRoot configuration, X509Certificate2 serverCertificate, IList <X509Certificate2> trustBundle, SslProtocols sslProtocols) { this.configuration = Preconditions.CheckNotNull(configuration, nameof(configuration)); this.serverCertificate = Preconditions.CheckNotNull(serverCertificate, nameof(serverCertificate)); this.trustBundle = Preconditions.CheckNotNull(trustBundle, nameof(trustBundle)); this.sslProtocols = sslProtocols; string edgeHubConnectionString = this.configuration.GetValue <string>(Constants.ConfigKey.IotHubConnectionString); if (!string.IsNullOrWhiteSpace(edgeHubConnectionString)) { IotHubConnectionStringBuilder iotHubConnectionStringBuilder = IotHubConnectionStringBuilder.Create(edgeHubConnectionString); this.iotHubHostname = iotHubConnectionStringBuilder.HostName; this.edgeDeviceId = iotHubConnectionStringBuilder.DeviceId; this.edgeModuleId = iotHubConnectionStringBuilder.ModuleId; this.edgeDeviceHostName = this.configuration.GetValue(Constants.ConfigKey.EdgeDeviceHostName, string.Empty); this.connectionString = Option.Some(edgeHubConnectionString); } else { this.iotHubHostname = this.configuration.GetValue <string>(Constants.ConfigKey.IotHubHostname); this.edgeDeviceId = this.configuration.GetValue <string>(Constants.ConfigKey.DeviceId); this.edgeModuleId = this.configuration.GetValue <string>(Constants.ConfigKey.ModuleId); this.edgeDeviceHostName = this.configuration.GetValue <string>(Constants.ConfigKey.EdgeDeviceHostName); this.connectionString = Option.None <string>(); } this.versionInfo = VersionInfo.Get(Constants.VersionInfoFileName); }
/// <summary> /// Initializes a new instance of the <see cref="ServerSslAuthConfiguration"/> class. /// </summary> public ServerSslAuthConfiguration(X509Certificate2 serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols) : this(serverCertificate, clientCertificateRequired, enabledSslProtocols, false) { }
/// <summary> /// Configure the ssl protocols versions to be used. /// By default, the OS selected secure options will be used. Equivalent to <see cref="SslProtocols.None"/>. /// </summary> public LdapConnectionOptions ConfigureSslProtocols(SslProtocols sslProtocols) { SslProtocols = sslProtocols; return(this); }
/// <summary> /// Initialize a new instance/ /// </summary> /// <param name="url">Configured url.</param> /// <param name="options">Configured options. cannot be null.</param> public AlternativeFtpBackend(string url, Dictionary <string, string> options) { _accepAllCertificates = CoreUtility.ParseBoolOption(options, OPTION_ACCEPT_ANY_CERTIFICATE); string certHash; options.TryGetValue(OPTION_ACCEPT_SPECIFIED_CERTIFICATE, out certHash); _validHashes = certHash == null ? null : certHash.Split(new[] { ",", ";" }, StringSplitOptions.RemoveEmptyEntries); var u = new Utility.Uri(url); u.RequireHost(); if (!string.IsNullOrEmpty(u.Username)) { _userInfo = new System.Net.NetworkCredential(); _userInfo.UserName = u.Username; if (!string.IsNullOrEmpty(u.Password)) { _userInfo.Password = u.Password; } else if (options.ContainsKey("auth-password")) { _userInfo.Password = options["auth-password"]; } } else { if (options.ContainsKey("auth-username")) { _userInfo = new System.Net.NetworkCredential(); _userInfo.UserName = options["auth-username"]; if (options.ContainsKey("auth-password")) { _userInfo.Password = options["auth-password"]; } } } //Bugfix, see http://connect.microsoft.com/VisualStudio/feedback/details/695227/networkcredential-default-constructor-leaves-domain-null-leading-to-null-object-reference-exceptions-in-framework-code if (_userInfo != null) { _userInfo.Domain = ""; } _url = u.SetScheme("ftp").SetQuery(null).SetCredentials(null, null).ToString(); if (!_url.EndsWith("/")) { _url += "/"; } _listVerify = !CoreUtility.ParseBoolOption(options, "disable-upload-verify"); // Process the aftp-data-connection-type option string dataConnectionTypeString; if (!options.TryGetValue(CONFIG_KEY_AFTP_DATA_CONNECTION_TYPE, out dataConnectionTypeString) || string.IsNullOrWhiteSpace(dataConnectionTypeString)) { dataConnectionTypeString = null; } if (dataConnectionTypeString == null || !Enum.TryParse(dataConnectionTypeString, true, out _dataConnectionType)) { _dataConnectionType = DEFAULT_DATA_CONNECTION_TYPE; } // Process the aftp-encryption-mode option string encryptionModeString; if (!options.TryGetValue(CONFIG_KEY_AFTP_ENCRYPTION_MODE, out encryptionModeString) || string.IsNullOrWhiteSpace(encryptionModeString)) { encryptionModeString = null; } if (encryptionModeString == null || !Enum.TryParse(encryptionModeString, true, out _encryptionMode)) { _encryptionMode = DEFAULT_ENCRYPTION_MODE; } // Process the aftp-ssl-protocols option string sslProtocolsString; if (!options.TryGetValue(CONFIG_KEY_AFTP_SSL_PROTOCOLS, out sslProtocolsString) || string.IsNullOrWhiteSpace(sslProtocolsString)) { sslProtocolsString = null; } if (sslProtocolsString == null || !Enum.TryParse(sslProtocolsString, true, out _sslProtocols)) { _sslProtocols = DEFAULT_SSL_PROTOCOLS; } }
private Task ClientAsyncSslHelper(SslProtocols clientSslProtocols, SslProtocols serverSslProtocols) { return(ClientAsyncSslHelper(EncryptionPolicy.RequireEncryption, clientSslProtocols, serverSslProtocols)); }
public FtpSocketStream(SslProtocols defaultSslProtocols) { m_SslProtocols = defaultSslProtocols; }
public void NegotiatedCipherSuite_SslProtocolIsLowerThanTls13_ShouldMatchTheProtocol(SslProtocols protocol) { var p = new ConnectionParams() { SslProtocols = protocol }; NegotiatedParams ret = ConnectAndGetNegotiatedParams(p, p); if (ret.HasSucceeded) { Assert.True( s_protocolCipherSuiteLookup[protocol].Contains(ret.CipherSuite), $"`{ret.CipherSuite}` is not recognized as {protocol} cipher suite"); } else { // currently TLS 1.2 should be enabled by all known implementations Assert.NotEqual(SslProtocols.Tls12, protocol); } }
public virtual Task AuthenticateAsServerAsync(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { var t = Tuple.Create(serverCertificate, clientCertificateRequired, enabledSslProtocols, checkCertificateRevocation, this); return(Task.Factory.FromAsync((callback, state) => { var d = (Tuple <X509Certificate, bool, SslProtocols, bool, SslStream>)state; return d.Item5.BeginAuthenticateAsServer(d.Item1, d.Item2, d.Item3, d.Item4, callback, null); }, EndAuthenticateAsServer, t)); }
/// <summary> /// Initializes a new instance of the <see cref="SslConfiguration"/> class with /// the specified <paramref name="enabledSslProtocols"/> and /// <paramref name="checkCertificateRevocation"/>. /// </summary> /// <param name="enabledSslProtocols"> /// The <see cref="SslProtocols"/> enum value that represents the protocols used for /// authentication. /// </param> /// <param name="checkCertificateRevocation"> /// <c>true</c> if the certificate revocation list is checked during authentication; /// otherwise, <c>false</c>. /// </param> protected SslConfiguration(SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { _enabledProtocols = enabledSslProtocols; _checkCertRevocation = checkCertificateRevocation; }
public virtual Task AuthenticateAsClientAsync(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { var t = Tuple.Create(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, this); return(Task.Factory.FromAsync((callback, state) => { var d = (Tuple <string, X509CertificateCollection, SslProtocols, bool, SslStream>)state; return d.Item5.BeginAuthenticateAsClient(d.Item1, d.Item2, d.Item3, d.Item4, callback, null); }, EndAuthenticateAsClient, t)); }
/// <summary> /// Initializes a new instance of the <see cref="TDSSQLTestClient"/> class. /// </summary> /// <param name="server">Server to connect to</param> /// <param name="port">Port to connect to</param> /// <param name="userID">Used ID</param> /// <param name="password">User password</param> /// <param name="database">Database to connect to</param> /// <param name="encryptionProtocol">Encryption Protocol</param> public TDSSQLTestClient(string server, int port, string userID, string password, string database, Boolean TrustServerCertficate, string EncryptionOption, SslProtocols encryptionProtocol = SslProtocols.Tls12) { if (string.IsNullOrEmpty(server) || string.IsNullOrEmpty(userID) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(database)) { throw new ArgumentNullException(); } LoggingUtilities.WriteLog($"Nije sa githuba"); this.Client = null; this.Version = new TDSClientVersion(1, 0, 0, 0); this.Server = server; this.ServerName = server; this.Port = port; this.UserID = userID; this.Password = password; this.Database = database; this.EncryptionProtocol = encryptionProtocol; this.TrustServerCertificate = TrustServerCertficate; LoggingUtilities.WriteLog(EncryptionOption); switch (EncryptionOption) { case "EncryptOn": { this.EncryptionOption = TDSEncryptionOption.EncryptOn; break; } case "EncryptOff": { this.EncryptionOption = TDSEncryptionOption.EncryptOff; break; } case "EncryptReq": { this.EncryptionOption = TDSEncryptionOption.EncryptReq; break; } case "EncryptNotSup": { this.EncryptionOption = TDSEncryptionOption.EncryptNotSup; break; } case "EncryptClientCertOn": { this.EncryptionOption = TDSEncryptionOption.EncryptClientCertOn; break; } case "EncryptClientCertOff": { this.EncryptionOption = TDSEncryptionOption.EncryptClientCertOff; break; } case "EncryptClientCertReq": { this.EncryptionOption = TDSEncryptionOption.EncryptClientCertReq; break; } default: { throw new InvalidOperationException(); } } LoggingUtilities.WriteLog($" Instantiating TDSSQLTestClient with the following parameters:"); LoggingUtilities.WriteLog($" Server: {server}."); LoggingUtilities.WriteLog($" Port: {port}."); LoggingUtilities.WriteLog($" UserID: {userID}."); LoggingUtilities.WriteLog($" Database: {database}."); LoggingUtilities.WriteLog($" TrustServerCertificate: {TrustServerCertificate}."); LoggingUtilities.WriteLog($" EncryptionOption: {EncryptionOption}."); }
public virtual void AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { EndAuthenticateAsClient(BeginAuthenticateAsClient( targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation, null, null)); }
public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { int protocolFlags = GetProtocolFlagsFromSslProtocols(protocols, isServer); Interop.SspiCli.SecureCredential.Flags flags; Interop.SspiCli.CredentialUse direction; if (!isServer) { direction = Interop.SspiCli.CredentialUse.Outbound; flags = Interop.SspiCli.SecureCredential.Flags.ValidateManual | Interop.SspiCli.SecureCredential.Flags.NoDefaultCred | Interop.SspiCli.SecureCredential.Flags.SendAuxRecord; // CoreFX: always opt-in SCH_USE_STRONG_CRYPTO except for SSL3. if (((protocolFlags & (Interop.SChannel.SP_PROT_TLS1_0 | Interop.SChannel.SP_PROT_TLS1_1 | Interop.SChannel.SP_PROT_TLS1_2)) != 0) && (policy != EncryptionPolicy.AllowNoEncryption) && (policy != EncryptionPolicy.NoEncryption)) { flags |= Interop.SspiCli.SecureCredential.Flags.UseStrongCrypto; } } else { direction = Interop.SspiCli.CredentialUse.Inbound; flags = Interop.SspiCli.SecureCredential.Flags.SendAuxRecord; } Interop.SspiCli.SecureCredential secureCredential = CreateSecureCredential( Interop.SspiCli.SecureCredential.CurrentVersion, certificate, flags, protocolFlags, policy); return(AcquireCredentialsHandle(direction, secureCredential)); }
public virtual IAsyncResult BeginAuthenticateAsServer(X509Certificate serverCertificate, bool clientCertificateRequired, SslProtocols enabledSslProtocols, bool checkCertificateRevocation, AsyncCallback asyncCallback, object asyncState) { if (IsAuthenticated) { throw new InvalidOperationException("This SslStream is already authenticated"); } SslServerStream s = new SslServerStream(InnerStream, serverCertificate, clientCertificateRequired, !LeaveInnerStreamOpen, GetMonoSslProtocol(enabledSslProtocols)); s.CheckCertRevocationStatus = checkCertificateRevocation; // Due to the Mono.Security internal, it cannot reuse // the delegated argument, as Mono.Security creates // another instance of X509Certificate which lacks // private key but is filled the private key via this // delegate. s.PrivateKeyCertSelectionDelegate = delegate(X509Certificate cert, string targetHost) { // ... so, we cannot use the delegate argument. X509Certificate2 cert2 = serverCertificate as X509Certificate2 ?? new X509Certificate2(serverCertificate); return(cert2 != null ? cert2.PrivateKey : null); }; if (validation_callback != null) { s.ClientCertValidationDelegate = delegate(X509Certificate cert, int [] certErrors) { X509Chain chain = null; if (cert is X509Certificate2) { chain = new X509Chain(); chain.Build((X509Certificate2)cert); } // FIXME: SslPolicyErrors is incomplete SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None; return(validation_callback(this, cert, chain, errors)); } } ; ssl_stream = s; return(BeginWrite(new byte[0], 0, 0, asyncCallback, asyncState)); } MonoSecurityProtocolType GetMonoSslProtocol(SslProtocols ms) { switch (ms) { case SslProtocols.Ssl2: return(MonoSecurityProtocolType.Ssl2); case SslProtocols.Ssl3: return(MonoSecurityProtocolType.Ssl3); case SslProtocols.Tls: return(MonoSecurityProtocolType.Tls); default: return(MonoSecurityProtocolType.Default); } }
internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX509Handle?certHandle, SafeEvpPKeyHandle?certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions) { SafeSslHandle?context = null; // Always use SSLv23_method, regardless of protocols. It supports negotiating to the highest // mutually supported version and can thus handle any of the set protocols, and we then use // SetProtocolOptions to ensure we only allow the ones requested. using (SafeSslContextHandle innerContext = Ssl.SslCtxCreate(Ssl.SslMethods.SSLv23_method)) { if (innerContext.IsInvalid) { throw CreateSslException(SR.net_allocate_ssl_context_failed); } if (!Interop.Ssl.Tls13Supported) { if (protocols != SslProtocols.None && CipherSuitesPolicyPal.WantsTls13(protocols)) { protocols = protocols & (~SslProtocols.Tls13); } } else if (CipherSuitesPolicyPal.WantsTls13(protocols) && CipherSuitesPolicyPal.ShouldOptOutOfTls13(sslAuthenticationOptions.CipherSuitesPolicy, policy)) { if (protocols == SslProtocols.None) { // we are using default settings but cipher suites policy says that TLS 1.3 // is not compatible with our settings (i.e. we requested no encryption or disabled // all TLS 1.3 cipher suites) protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12; } else { // user explicitly asks for TLS 1.3 but their policy is not compatible with TLS 1.3 throw new SslException( SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy)); } } if (CipherSuitesPolicyPal.ShouldOptOutOfLowerThanTls13(sslAuthenticationOptions.CipherSuitesPolicy, policy)) { if (!CipherSuitesPolicyPal.WantsTls13(protocols)) { // We cannot provide neither TLS 1.3 or non TLS 1.3, user disabled all cipher suites throw new SslException( SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy)); } protocols = SslProtocols.Tls13; } // Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just // create the handle, it's rooted by the using, no one else has a reference to it, etc. Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols); // Sets policy and security level if (!Ssl.SetEncryptionPolicy(innerContext, policy)) { throw new SslException( SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy)); } // The logic in SafeSslHandle.Disconnect is simple because we are doing a quiet // shutdown (we aren't negotiating for session close to enable later session // restoration). // // If you find yourself wanting to remove this line to enable bidirectional // close-notify, you'll probably need to rewrite SafeSslHandle.Disconnect(). // https://www.openssl.org/docs/manmaster/ssl/SSL_shutdown.html Ssl.SslCtxSetQuietShutdown(innerContext); byte[]? cipherList = CipherSuitesPolicyPal.GetOpenSslCipherList(sslAuthenticationOptions.CipherSuitesPolicy, protocols, policy); Debug.Assert(cipherList == null || (cipherList.Length >= 1 && cipherList[cipherList.Length - 1] == 0)); byte[]? cipherSuites = CipherSuitesPolicyPal.GetOpenSslCipherSuites(sslAuthenticationOptions.CipherSuitesPolicy, protocols, policy); Debug.Assert(cipherSuites == null || (cipherSuites.Length >= 1 && cipherSuites[cipherSuites.Length - 1] == 0)); unsafe { fixed(byte *cipherListStr = cipherList) fixed(byte *cipherSuitesStr = cipherSuites) { if (!Ssl.SetCiphers(innerContext, cipherListStr, cipherSuitesStr)) { Crypto.ErrClearError(); throw new PlatformNotSupportedException(SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy)); } } } bool hasCertificateAndKey = certHandle != null && !certHandle.IsInvalid && certKeyHandle != null && !certKeyHandle.IsInvalid; if (hasCertificateAndKey) { SetSslCertificate(innerContext, certHandle !, certKeyHandle !); } if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired) { Ssl.SslCtxSetVerify(innerContext, s_verifyClientCertificate); } GCHandle alpnHandle = default; try { if (sslAuthenticationOptions.ApplicationProtocols != null) { if (sslAuthenticationOptions.IsServer) { alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols); Interop.Ssl.SslCtxSetAlpnSelectCb(innerContext, s_alpnServerCallback, GCHandle.ToIntPtr(alpnHandle)); } else { if (Interop.Ssl.SslCtxSetAlpnProtos(innerContext, sslAuthenticationOptions.ApplicationProtocols) != 0) { throw CreateSslException(SR.net_alpn_config_failed); } } } context = SafeSslHandle.Create(innerContext, sslAuthenticationOptions.IsServer); Debug.Assert(context != null, "Expected non-null return value from SafeSslHandle.Create"); if (context.IsInvalid) { context.Dispose(); throw CreateSslException(SR.net_allocate_ssl_context_failed); } if (!sslAuthenticationOptions.IsServer) { // The IdnMapping converts unicode input into the IDNA punycode sequence. string punyCode = s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost !); // Similar to windows behavior, set SNI on openssl by default for client context, ignore errors. if (!Ssl.SslSetTlsExtHostName(context, punyCode)) { Crypto.ErrClearError(); } } if (hasCertificateAndKey) { bool hasCertReference = false; try { certHandle !.DangerousAddRef(ref hasCertReference); using (X509Certificate2 cert = new X509Certificate2(certHandle.DangerousGetHandle())) { X509Chain?chain = null; try { chain = TLSCertificateExtensions.BuildNewChain(cert, includeClientApplicationPolicy: false); if (chain != null && !Ssl.AddExtraChainCertificates(context, chain)) { throw CreateSslException(SR.net_ssl_use_cert_failed); } } finally { if (chain != null) { int elementsCount = chain.ChainElements.Count; for (int i = 0; i < elementsCount; i++) { chain.ChainElements[i].Certificate !.Dispose(); } chain.Dispose(); } } } } finally { if (hasCertReference) { certHandle !.DangerousRelease(); } } } context.AlpnHandle = alpnHandle; } catch { if (alpnHandle.IsAllocated) { alpnHandle.Free(); } throw; } } return(context); }
private static byte[] CreateProtocolVersionAlert(SslProtocols version) => version switch {
public static SafeFreeCredentials AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, bool isServer) { return(new SafeFreeCredentials(certificate, protocols, policy)); }
public static partial void HttpsConnectionEstablished(this ILogger <HttpsConnectionMiddleware> logger, string connectionId, SslProtocols protocol);
// This essentially wraps SSL* SSL_new() internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions) { SafeSslHandle? sslHandle = null; SafeSslContextHandle?sslCtxHandle = null; SafeSslContextHandle?newCtxHandle = null; SslProtocols protocols = CalculateEffectiveProtocols(sslAuthenticationOptions); bool hasAlpn = sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0; bool cacheSslContext = !DisableTlsResume && sslAuthenticationOptions.EncryptionPolicy == EncryptionPolicy.RequireEncryption && sslAuthenticationOptions.IsServer && sslAuthenticationOptions.CertificateContext != null && sslAuthenticationOptions.CertificateContext.SslContexts != null && sslAuthenticationOptions.CipherSuitesPolicy == null; if (cacheSslContext) { sslAuthenticationOptions.CertificateContext !.SslContexts !.TryGetValue(protocols | (SslProtocols)(hasAlpn ? 1 : 0), out sslCtxHandle); } if (sslCtxHandle == null) { // We did not get SslContext from cache sslCtxHandle = newCtxHandle = AllocateSslContext(credential, sslAuthenticationOptions, protocols, cacheSslContext); if (cacheSslContext && sslAuthenticationOptions.CertificateContext !.SslContexts !.TryAdd(protocols | (SslProtocols)(hasAlpn ? 1 : 0), newCtxHandle)) { newCtxHandle = null; } } GCHandle alpnHandle = default; try { sslHandle = SafeSslHandle.Create(sslCtxHandle, sslAuthenticationOptions.IsServer); Debug.Assert(sslHandle != null, "Expected non-null return value from SafeSslHandle.Create"); if (sslHandle.IsInvalid) { sslHandle.Dispose(); throw CreateSslException(SR.net_allocate_ssl_context_failed); } if (sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0) { if (sslAuthenticationOptions.IsServer) { alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols); Interop.Ssl.SslSetData(sslHandle, GCHandle.ToIntPtr(alpnHandle)); sslHandle.AlpnHandle = alpnHandle; } else { if (Interop.Ssl.SslSetAlpnProtos(sslHandle, sslAuthenticationOptions.ApplicationProtocols) != 0) { throw CreateSslException(SR.net_alpn_config_failed); } } } if (!sslAuthenticationOptions.IsServer) { // The IdnMapping converts unicode input into the IDNA punycode sequence. string punyCode = string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ? string.Empty : s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost !); // Similar to windows behavior, set SNI on openssl by default for client context, ignore errors. if (!Ssl.SslSetTlsExtHostName(sslHandle, punyCode)) { Crypto.ErrClearError(); } // relevant to TLS 1.3 only: if user supplied a client cert or cert callback, // advertise that we are willing to send the certificate post-handshake. if (sslAuthenticationOptions.ClientCertificates?.Count > 0 || sslAuthenticationOptions.CertSelectionDelegate != null) { Ssl.SslSetPostHandshakeAuth(sslHandle, 1); } // Set client cert callback, this will interrupt the handshake with SecurityStatusPalErrorCode.CredentialsNeeded // if server actually requests a certificate. Ssl.SslSetClientCertCallback(sslHandle, 1); } else // sslAuthenticationOptions.IsServer { if (sslAuthenticationOptions.RemoteCertRequired) { Ssl.SslSetVerifyPeer(sslHandle); } if (sslAuthenticationOptions.CertificateContext?.Trust?._sendTrustInHandshake == true) { SslCertificateTrust trust = sslAuthenticationOptions.CertificateContext !.Trust !; X509Certificate2Collection certList = (trust._trustList ?? trust._store !.Certificates); Debug.Assert(certList != null, "certList != null"); Span <IntPtr> handles = certList.Count <= 256 ? stackalloc IntPtr[256] : new IntPtr[certList.Count]; for (int i = 0; i < certList.Count; i++) { handles[i] = certList[i].Handle; } if (!Ssl.SslAddClientCAs(sslHandle, handles.Slice(0, certList.Count))) { // The method can fail only when the number of cert names exceeds the maximum capacity // supported by STACK_OF(X509_NAME) structure, which should not happen under normal // operation. Debug.Fail("Failed to add issuer to trusted CA list."); } } } } catch { if (alpnHandle.IsAllocated) { alpnHandle.Free(); } throw; } finally { newCtxHandle?.Dispose(); } return(sslHandle); }
public async Task ClientAsyncAuthenticate_AllServerVsIndividualClientSupportedProtocols_Success( SslProtocols clientProtocol) { await ClientAsyncSslHelper(clientProtocol, SslProtocolSupport.SupportedSslProtocols); }
public TcpTransportSecurity() { _clientCredentialType = DefaultClientCredentialType; _protectionLevel = DefaultProtectionLevel; _sslProtocols = TransportDefaults.SslProtocols; }
protected TlsSettings(SslProtocols enabledProtocols, bool checkCertificateRevocation) { this.EnabledProtocols = enabledProtocols; this.CheckCertificateRevocation = checkCertificateRevocation; }
private SslStreamSecurityUpgradeProvider(IDefaultCommunicationTimeouts timeouts, SecurityTokenProvider serverTokenProvider, bool requireClientCertificate, SecurityTokenAuthenticator clientCertificateAuthenticator, string scheme, IdentityVerifier identityVerifier, SslProtocols sslProtocols) : base(timeouts) { _serverTokenProvider = serverTokenProvider; _requireClientCertificate = requireClientCertificate; _clientCertificateAuthenticator = clientCertificateAuthenticator; _identityVerifier = identityVerifier; _scheme = scheme; _sslProtocols = sslProtocols; }
public static void AuthenticateAsClient(this SslStream ss, string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation) { ss.AuthenticateAsClientAsync(targetHost, clientCertificates, enabledSslProtocols, checkCertificateRevocation).Wait(); }
public async Task ClientAsyncAuthenticate_EachSupportedProtocol_Success(SslProtocols protocol) { await ClientAsyncSslHelper(protocol, protocol); }