protected void InitializeClientContext(
X509List certificates,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
sslContext.Options = options;
// Set the Local certificate selection callback
sslContext.SetClientCertCallback(OnClientCertificate);
// Set the enabled cipher list
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the callbacks for remote cert verification and local cert selection
if (OnRemoteCertificate != null)
{
sslContext.SetVerify(
VerifyMode.SSL_VERIFY_PEER |
VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
OnRemoteCertificate);
}
// Set the CA list into the store
if (caCertificates != null)
{
var store = new X509Store(caCertificates);
sslContext.SetCertificateStore(store);
}
// Set up the read/write bio's
read_bio = BIO.MemoryBuffer(false);
write_bio = BIO.MemoryBuffer(false);
ssl = new Ssl(sslContext);
sniCb = sniExt.ClientSniCb;
sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb);
ssl.SetBIO(read_bio, write_bio);
read_bio.SetClose(BIO.CloseOption.Close);
write_bio.SetClose(BIO.CloseOption.Close);
// Set the Ssl object into Client mode
ssl.SetConnectState();
}
private void InitializeServerContext(
X509Certificate serverCertificate,
bool clientCertificateRequired,
X509Chain caCerts,
SslProtocols enabledSslProtocols,
SslStrength sslStrength,
bool checkCertificateRevocation)
{
if (serverCertificate == null)
{
throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null");
}
if (!serverCertificate.HasPrivateKey)
{
throw new ArgumentException("Server certificate must have a private key", "serverCertificate");
}
// Initialize the context with specified TLS version
sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] {
Protocols.Http2,
Protocols.Http1
});
var options = sslContext.Options;
// Remove support for protocols not specified in the enabledSslProtocols
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2))
{
options |= SslOptions.SSL_OP_NO_SSLv2;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3))
{
options |= SslOptions.SSL_OP_NO_SSLv3;
}
if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls))
{
options |= SslOptions.SSL_OP_NO_TLSv1;
}
// Set the workaround options
sslContext.Options = options | SslOptions.SSL_OP_ALL;
// Set the context mode
sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY;
// Set the client certificate verification callback if we are requiring client certs
if (clientCertificateRequired)
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate);
}
else
{
sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);
}
// Set the client certificate max verification depth
sslContext.SetVerifyDepth(10);
// Set the certificate store and ca list
if (caCerts != null)
{
// Don't take ownership of the X509Store IntPtr. When we
// SetCertificateStore, the context takes ownership of the store pointer.
sslContext.SetCertificateStore(new X509Store(caCerts, false));
var name_stack = new Core.Stack <X509Name>();
foreach (var cert in caCerts)
{
var subject = cert.Subject;
name_stack.Add(subject);
}
// Assign the stack to the context
sslContext.CAList = name_stack;
}
// Set the cipher string
sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength));
// Set the certificate
sslContext.UseCertificate(serverCertificate);
// Set the private key
sslContext.UsePrivateKey(serverCertificate.PrivateKey);
// Set the session id context
sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName));
}
