protected void InitializeClientContext(X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with the specified ssl version // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_client_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the Local certificate selection callback sslContext.SetClientCertCallback(this.internalCertificateSelectionCallback); // Set the enabled cipher list sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (remoteCertificateSelectionCallback != null) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } // Set the CA list into the store if (caCertificates != null) { X509Store store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
private void InitializeServerContextUsingPsk(string pskCiphers) { // Initialize the context //sslContext = new SslContext(SslMethod.SSLv23_server_method); sslContext = new SslContext(SslMethod.TLSv1_server_method); //sslContext = new SslContext(SslMethod.SSLv3_server_method); // Remove support for protocols that should not be supported sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the workaround options sslContext.Options = SslOptions.SSL_OP_ALL; sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); // Set the cipher string // WARNING: Using PSK ciphers requires that the PSK callback be set and initialize the identity and psk value. // Failure to do this will cause the PSK ciphers to be skipped when picking a shared cipher. // The result will be an error because of "no shared ciphers". // sslContext.SetCipherList("PSK-AES256-CBC-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-RC4-SHA"); sslContext.SetCipherList(pskCiphers); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); // Set the PSK callbacks sslContext.SetPskServerCallback(this.internalPskServerCallback); }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_server_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } /* // Initialize the context with the specified ssl version switch (enabledSslProtocols) { case SslProtocols.None: throw new ArgumentException("SslProtocol.None is not supported", "enabledSslProtocols"); break; case SslProtocols.Ssl2: sslContext = new SslContext(SslMethod.SSLv2_server_method); break; case SslProtocols.Ssl3: case SslProtocols.Default: sslContext = new SslContext(SslMethod.SSLv3_server_method); break; case SslProtocols.Tls: sslContext = new SslContext(SslMethod.TLSv1_server_method); break; } */ // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the workaround options sslContext.Options = SslOptions.SSL_OP_ALL; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. X509Store cert_store = new X509Store(caCerts, false); sslContext.SetCertificateStore(cert_store); Core.Stack<X509Name> name_stack = new Core.Stack<X509Name>(); foreach (X509Certificate cert in caCerts) { X509Name subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); }
public override void Close() { //base.Close(); if (ssl != null) { ssl.Dispose(); ssl = null; } if (sslContext != null) { sslContext.Dispose(); sslContext = null; } }
/// <summary> /// Calls SSL_new() /// </summary> /// <param name="ctx"></param> public Ssl(SslContext ctx) : base(Native.ExpectNonNull(Native.SSL_new(ctx.Handle)), true) { }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context sslContext = new SslContext(SslMethod.SSLv23_server_method); // Remove support for protocols not specified in the enabledSslProtocols if ((enabledSslProtocols & SslProtocols.Ssl2) != SslProtocols.Ssl2) { sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; } if ((enabledSslProtocols & SslProtocols.Ssl3) != SslProtocols.Ssl3 && ((enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default)) { // no SSLv3 support sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; } if ((enabledSslProtocols & SslProtocols.Tls) != SslProtocols.Tls && (enabledSslProtocols & SslProtocols.Default) != SslProtocols.Default) { sslContext.Options |= SslOptions.SSL_OP_NO_TLSv1; } /* * // Initialize the context with the specified ssl version * switch (enabledSslProtocols) * { * case SslProtocols.None: * throw new ArgumentException("SslProtocol.None is not supported", "enabledSslProtocols"); * break; * case SslProtocols.Ssl2: * sslContext = new SslContext(SslMethod.SSLv2_server_method); * break; * case SslProtocols.Ssl3: * case SslProtocols.Default: * sslContext = new SslContext(SslMethod.SSLv3_server_method); * break; * case SslProtocols.Tls: * sslContext = new SslContext(SslMethod.TLSv1_server_method); * break; * } */ // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the workaround options sslContext.Options = SslOptions.SSL_OP_ALL; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, remoteCertificateSelectionCallback); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. X509Store cert_store = new X509Store(caCerts, false); sslContext.SetCertificateStore(cert_store); Core.Stack <X509Name> name_stack = new Core.Stack <X509Name>(); foreach (X509Certificate cert in caCerts) { X509Name subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(GetCipherString(false, enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); }
protected void InitializeClientContextUsingPsk(string pskCiphers) { // Initialize the context with the specified ssl version //sslContext = new SslContext(SslMethod.SSLv23_client_method); sslContext = new SslContext(SslMethod.TLSv1_client_method); //sslContext = new SslContext(SslMethod.SSLv3_client_method); // Remove support for protocols that should not be supported sslContext.Options |= SslOptions.SSL_OP_NO_SSLv2; sslContext.Options |= SslOptions.SSL_OP_NO_SSLv3; // Set the enabled cipher list // WARNING: Using PSK ciphers requires that the PSK callback be set and initialize the identity and psk value. // Failure to do this will cause the PSK ciphers to be skipped when picking a shared cipher. // The result will be an error because of "no shared ciphers". // sslContext.SetCipherList("PSK-AES256-CBC-SHA:PSK-3DES-EDE-CBC-SHA:PSK-AES128-CBC-SHA:PSK-RC4-SHA"); sslContext.SetCipherList(pskCiphers); // Set the PSK callbacks sslContext.SetPskClientCallback(this.internalPskClientCallback); // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); ssl.SetConnectState(); }