Wraps a SSL_CIPHER
Inheritance: OpenSSL.Core.BaseReference, IStackable
Ejemplo n.º 1
0
        protected void InitializeClientContext(
            X509List certificates,
            SslProtocols enabledSslProtocols,
            SslStrength sslStrength,
            bool checkCertificateRevocation)
        {
            // Initialize the context with specified TLS version
            sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] {
                Protocols.Http2,
                Protocols.Http1
            });

            var options = sslContext.Options;

            // Remove support for protocols not specified in the enabledSslProtocols
            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
            {
                options |= SslOptions.SSL_OP_NO_SSLv2;
            }

            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
            {
                options |= SslOptions.SSL_OP_NO_SSLv3;
            }

            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
            {
                options |= SslOptions.SSL_OP_NO_TLSv1;
            }

            sslContext.Options = options;

            // Set the Local certificate selection callback
            sslContext.SetClientCertCallback(OnClientCertificate);
            // Set the enabled cipher list
            sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
            // Set the callbacks for remote cert verification and local cert selection
            if (OnRemoteCertificate != null)
            {
                sslContext.SetVerify(
                    VerifyMode.SSL_VERIFY_PEER |
                    VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                    OnRemoteCertificate);
            }
            // Set the CA list into the store
            if (caCertificates != null)
            {
                var store = new X509Store(caCertificates);
                sslContext.SetCertificateStore(store);
            }
            // Set up the read/write bio's
            read_bio  = BIO.MemoryBuffer(false);
            write_bio = BIO.MemoryBuffer(false);
            ssl       = new Ssl(sslContext);

            sniCb = sniExt.ClientSniCb;
            sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb);

            ssl.SetBIO(read_bio, write_bio);
            read_bio.SetClose(BIO.CloseOption.Close);
            write_bio.SetClose(BIO.CloseOption.Close);
            // Set the Ssl object into Client mode
            ssl.SetConnectState();
        }
Ejemplo n.º 2
0
        private void InitializeServerContext(
            X509Certificate serverCertificate,
            bool clientCertificateRequired,
            X509Chain caCerts,
            SslProtocols enabledSslProtocols,
            SslStrength sslStrength,
            bool checkCertificateRevocation)
        {
            if (serverCertificate == null)
            {
                throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
            }
            if (!serverCertificate.HasPrivateKey)
            {
                throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
            }

            // Initialize the context with specified TLS version
            sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] {
                Protocols.Http2,
                Protocols.Http1
            });

            var options = sslContext.Options;

            // Remove support for protocols not specified in the enabledSslProtocols
            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
            {
                options |= SslOptions.SSL_OP_NO_SSLv2;
            }

            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
            {
                options |= SslOptions.SSL_OP_NO_SSLv3;
            }

            if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
            {
                options |= SslOptions.SSL_OP_NO_TLSv1;
            }

            // Set the workaround options
            sslContext.Options = options | SslOptions.SSL_OP_ALL;

            // Set the context mode
            sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;

            // Set the client certificate verification callback if we are requiring client certs
            if (clientCertificateRequired)
            {
                sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate);
            }
            else
            {
                sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
            }

            // Set the client certificate max verification depth
            sslContext.SetVerifyDepth(10);
            // Set the certificate store and ca list
            if (caCerts != null)
            {
                // Don't take ownership of the X509Store IntPtr.  When we
                // SetCertificateStore, the context takes ownership of the store pointer.
                sslContext.SetCertificateStore(new X509Store(caCerts, false));
                var name_stack = new Core.Stack <X509Name>();
                foreach (var cert in caCerts)
                {
                    var subject = cert.Subject;
                    name_stack.Add(subject);
                }
                // Assign the stack to the context
                sslContext.CAList = name_stack;
            }
            // Set the cipher string
            sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
            // Set the certificate
            sslContext.UseCertificate(serverCertificate);
            // Set the private key
            sslContext.UsePrivateKey(serverCertificate.PrivateKey);
            // Set the session id context
            sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
        }