internal static MSI.MonoLocalCertificateSelectionCallback PublicToMono (LocalCertificateSelectionCallback callback)
{
if (callback == null)
return null;
return (t, lc, rc, ai) => callback (null, t, (XX509CertificateCollection)(object)lc, rc, ai);
}
static void Main(string[] args)
{
try
{
//Client certificate
string clientCertificateFile = "c:/certificates/RootCA.cer";
// x509 certificate
X509Certificate clientCertificate = new X509Certificate(clientCertificateFile, "secret1");
// define TLS (transport layer security) protocol
SslProtocols enabledSSLProtocols = SslProtocols.Tls; //Superseeds the former SslProtocols.Ssl3
//Alternative for validation of client
// or collection of X509 certificates
X509CertificateCollection certificateCollection = new X509CertificateCollection {
clientCertificate
};
// Server certificate name "FakeServerName" mentioned inside the ServerSSL certificate
// ServerSSL cer issue to "FakeServerName"
string serverName = "FakeServerName";
TcpClient clientSocket = new TcpClient("localhost", 6789);
Stream unsecuredStream = clientSocket.GetStream();
//No revocation
//SslStream sslStream = new SslStream(unsecureStream, leaveInnerStreamOpen, new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
//Setup for handling the validation of server
// Verify the remote secure socket layer (SSL) certificate used for authentication
var userCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
// select the local secure socket layer (SSL) certificate used for authentication
var localCertificateCallback = new LocalCertificateSelectionCallback(CertificateSelectionCallback);
SslStream sslStream = new SslStream(unsecuredStream, false, userCertificateValidationCallback, localCertificateCallback);
sslStream.AuthenticateAsClient(serverName, certificateCollection, enabledSSLProtocols, false);
// sslStream.AuthenticateAsClient(serverName, certificateCollection, enabledSSLProtocols, true); // client and server runs on different machine
StreamReader sr = new StreamReader(sslStream);
StreamWriter sw = new StreamWriter(sslStream)
{
AutoFlush = true
};
// enable automatic flushing
Console.WriteLine("Client authenticated");
for (int i = 0; i < 5; i++)
{
Console.WriteLine("Enter your message here:");
string message = Console.ReadLine();
sw.WriteLine(message);
string serverAnswer = sr.ReadLine();
Console.WriteLine("Server: " + serverAnswer);
}
sslStream.Close();
clientSocket.Close();
}
catch (Exception e)
{
Console.WriteLine(e);
Console.WriteLine("Press Enter to finish the Client ");
Console.ReadKey();
}
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSServerSocket" /> class.
/// </summary>
/// <param name="port">The port where the server runs.</param>
/// <param name="clientTimeout">Send/receive timeout.</param>
/// <param name="useBufferedSockets">If set to <c>true</c> [use buffered sockets].</param>
/// <param name="certificate">The certificate object.</param>
/// <param name="clientCertValidator">The certificate validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSServerSocket(
int port,
int clientTimeout,
bool useBufferedSockets,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
// TODO: Enable Tls11 and Tls12 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
SslProtocols sslProtocols = SslProtocols.Tls)
{
if (!certificate.HasPrivateKey)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, "Your server-certificate needs to have a private key");
}
this.port = port;
this.clientTimeout = clientTimeout;
this.serverCertificate = certificate;
this.useBufferedSockets = useBufferedSockets;
this.clientCertValidator = clientCertValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
this.sslProtocols = sslProtocols;
try
{
// Create server socket
this.server = TSocketVersionizer.CreateTcpListener(this.port);
this.server.Server.NoDelay = true;
}
catch (Exception ex)
{
server = null;
throw new TTransportException("Could not create ServerSocket on port " + this.port + ".", ex);
}
}
public void SslStream_StreamToStream_DuplicateOptions_Throws()
{
RemoteCertificateValidationCallback rCallback = (sender, certificate, chain, errors) => { return(true); };
LocalCertificateSelectionCallback lCallback = (sender, host, localCertificates, remoteCertificate, issuers) => { return(null); };
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false, rCallback, lCallback, EncryptionPolicy.RequireEncryption))
using (var server = new SslStream(serverStream, false, rCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
serverOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
Task t1 = Assert.ThrowsAsync <InvalidOperationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <InvalidOperationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
Assert.True(Task.WaitAll(new[] { t1, t2 }, TestConfiguration.PassingTestTimeoutMilliseconds));
}
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="client">An already created TCP-client</param>
/// <param name="certificate">The certificate.</param>
/// <param name="isServer">if set to <c>true</c> [is server].</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
TcpClient client,
X509Certificate certificate,
bool isServer = false,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
// TODO: Enable Tls11 and Tls12 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
SslProtocols sslProtocols = SslProtocols.Tls)
{
this.client = client;
this.certificate = certificate;
this.certValidator = certValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
this.sslProtocols = sslProtocols;
this.isServer = isServer;
if (isServer && certificate == null)
{
throw new ArgumentException("TTLSSocket needs certificate to be used for server", "certificate");
}
if (IsOpen)
{
base.inputStream = client.GetStream();
base.outputStream = client.GetStream();
}
}
/// <summary>
/// Enables the extension, directing the callback to the appropriate cert selection UI
/// </summary>
private void Enable()
{
isExtensionEnabled = true;
if (!isPreviousProviderSet)
{
previousClientCertificateProvider = Fiddler.FiddlerApplication.ClientCertificateProvider;
isPreviousProviderSet = true;
}
Fiddler.FiddlerApplication.ClientCertificateProvider = this.LocalCertificateSelectionCallback;
if (enableMenuItem != null)
{
enableMenuItem.Checked = true;
}
foreach (var menuItem in secondaryMenuItems)
{
if (menuItem != null)
{
menuItem.Enabled = true;
}
}
if (defaultClientCertificate == null && clearDefaultClientCertMenuItem != null)
{
clearDefaultClientCertMenuItem.Enabled = false;
}
}
public TTlsSocketTransport(string host, int port, TConfiguration config, int timeout,
X509Certificate2 certificate,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
: base(config)
{
try
{
_targetHost = host;
var entry = Dns.GetHostEntry(host);
if (entry.AddressList.Length == 0)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, "unable to resolve host name");
}
_host = entry.AddressList[0];
_port = port;
_timeout = timeout;
_certificate = certificate;
_certValidator = certValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
InitSocket();
}
catch (SocketException e)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, e.Message, e);
}
}
internal static SslStream ManageServerRequest(TcpClient client, String connectToIP)
{
SslStream sslStream = null;
try
{
bool leaveInnerStreamOpen = true;
RemoteCertificateValidationCallback validationCallback =
new RemoteCertificateValidationCallback(ServerValidationCallback);
LocalCertificateSelectionCallback selectionCallback =
new LocalCertificateSelectionCallback(ClientCertificateSelectionCallback);
EncryptionPolicy encryptionPolicy = EncryptionPolicy.NoEncryption;
sslStream = new SslStream(client.GetStream(), leaveInnerStreamOpen, validationCallback, selectionCallback, encryptionPolicy);
Console.WriteLine("Client starting handshake");
ClientSideHandshake(sslStream, connectToIP);
Console.WriteLine("client finished handshake");
}
catch(AuthenticationException ex)
{
Console.WriteLine("\nAuthentication Exception: " + ex.Message);
}
catch(Exception ex)
{
Console.WriteLine("\nError detected: " + ex.Message);
}
return sslStream;
}
public RedisPoolSettings(RedisEndPoint[] endPoints = null,
string masterName = null,
string password = null,
string clientName = null,
int connectionTimeout = RedisConstants.DefaultConnectionTimeout,
int receiveTimeout = RedisConstants.DefaultReceiveTimeout,
int sendTimeout = RedisConstants.DefaultSendTimeout,
int maxConnectionCount = RedisConstants.DefaultMaxConnectionCount,
int connectionWaitTimeout = RedisConstants.DefaultWaitTimeout,
int connectionIdleTimeout = RedisConstants.DefaultIdleTimeout,
int readBufferSize = 0,
int writeBufferSize = 0,
bool heartBeatEnabled = true,
int hearBeatIntervalInSecs = RedisConstants.DefaultHeartBeatIntervalSecs,
bool useAsyncCompleter = true,
bool useSlaveAsMasterIfNoMasterFound = false,
bool useSsl = false,
LocalCertificateSelectionCallback sslCertificateSelection = null,
RemoteCertificateValidationCallback sslCertificateValidation = null)
: base(endPoints, masterName, password, clientName, connectionTimeout, receiveTimeout, sendTimeout,
connectionWaitTimeout, readBufferSize, writeBufferSize, heartBeatEnabled, hearBeatIntervalInSecs,
useSsl, sslCertificateSelection, sslCertificateValidation)
{
UseAsyncCompleter = useAsyncCompleter;
UseSlaveAsMasterIfNoMasterFound = useSlaveAsMasterIfNoMasterFound;
ConnectionIdleTimeout = connectionIdleTimeout <= 0 ? 0 : Math.Max(RedisConstants.MinIdleTimeout, Math.Min(RedisConstants.MaxIdleTimeout, connectionIdleTimeout));
MaxConnectionCount = Math.Max(Math.Min(maxConnectionCount, RedisConstants.MaxConnectionCount), RedisConstants.MinConnectionCount);
}
public TTlsSocketTransport(string host, int port, TConfiguration config, int timeout,
X509Certificate2 certificate,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
: base(config)
{
try
{
var entry = Dns.GetHostEntryAsync(host).ConfigureAwait(false).GetAwaiter().GetResult();
if (entry.AddressList.Length == 0)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, "unable to resolve host name");
}
var addr = entry.AddressList[0];
_host = new IPAddress(addr.GetAddressBytes(), addr.ScopeId);
_port = port;
_timeout = timeout;
_certificate = certificate;
_certValidator = certValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
InitSocket();
}
catch (SocketException e)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, e.Message, e);
}
}
public RedisPoolSettings(string host = RedisConstants.LocalHost,
int port = RedisConstants.DefaultPort,
string masterName = null,
string password = null,
string clientName = null,
int connectionTimeout = RedisConstants.DefaultConnectionTimeout,
int receiveTimeout = RedisConstants.DefaultReceiveTimeout,
int sendTimeout = RedisConstants.DefaultSendTimeout,
int maxConnectionCount = RedisConstants.DefaultMaxConnectionCount,
int connectionWaitTimeout = RedisConstants.DefaultWaitTimeout,
int connectionIdleTimeout = RedisConstants.DefaultIdleTimeout,
int readBufferSize = 0,
int writeBufferSize = 0,
bool heartBeatEnabled = true,
int hearBeatIntervalInSecs = RedisConstants.DefaultHeartBeatIntervalSecs,
bool useAsyncCompleter = true,
bool useSlaveAsMasterIfNoMasterFound = false,
bool useSsl = false,
LocalCertificateSelectionCallback sslCertificateSelection = null,
RemoteCertificateValidationCallback sslCertificateValidation = null)
: this(new[] { new RedisEndPoint(host, port) }, masterName, password, clientName, connectionTimeout, receiveTimeout,
sendTimeout, maxConnectionCount, connectionWaitTimeout, connectionIdleTimeout, readBufferSize, writeBufferSize,
heartBeatEnabled, hearBeatIntervalInSecs, useAsyncCompleter, useSlaveAsMasterIfNoMasterFound, useSsl,
sslCertificateSelection, sslCertificateValidation)
{
}
internal static SslStream ManageClientRequest(TcpClient client)
{
SslStream sslStream = null;
try
{
bool leaveInnerStreamOpen = true;
RemoteCertificateValidationCallback validationCallback =
new RemoteCertificateValidationCallback(ClientValidationCallback);
LocalCertificateSelectionCallback selectionCallback =
new LocalCertificateSelectionCallback(ServerCertificateSelectionCallback);
EncryptionPolicy encryptionPolicy = EncryptionPolicy.AllowNoEncryption;
sslStream = new SslStream(client.GetStream(), leaveInnerStreamOpen, validationCallback, selectionCallback, encryptionPolicy);
Console.WriteLine("Server starting handshake");
ServerSideHandshake(sslStream);
Console.WriteLine("Server finished handshake");
}
catch(Exception ex)
{
sslStream = null;
Console.WriteLine("\nError detected in sslStream: " + ex.Message);
}
return sslStream;
}
private static void ManageRequest(TcpClient client)
{
try {
bool leaveInnerStreamOpen = true;
RemoteCertificateValidationCallback validationCallback =
ClientValidationCallback;
LocalCertificateSelectionCallback selectionCallback =
ServerCertificateSelectionCallback;
EncryptionPolicy encryptionPolicy = EncryptionPolicy.AllowNoEncryption;
//create the SSL stream starting from the NetworkStream associated
//with the TcpClient instance
_sslStream = new SslStream(client.GetStream(),
leaveInnerStreamOpen, validationCallback, selectionCallback, encryptionPolicy);
//1. when the client requests it, the handshake begins
ServerSideHandshake();
//2. read client's data using the encrypted stream
ReadClientData();
} catch (Exception ex) {
Console.WriteLine("\nError detected: " + ex.Message);
} finally {
if (_sslStream != null)
{
_sslStream.Close();
}
client.Close();
}
}
public TTlsServerSocketTransport(
int port,
bool useBufferedSockets,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
{
if (!certificate.HasPrivateKey)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown,
"Your server-certificate needs to have a private key");
}
_port = port;
_serverCertificate = certificate;
_useBufferedSockets = useBufferedSockets;
_clientCertValidator = clientCertValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
try
{
// Create server socket
_server = new TcpListener(IPAddress.Any, _port);
_server.Server.NoDelay = true;
}
catch (Exception)
{
_server = null;
throw new TTransportException($"Could not create ServerSocket on port {port}.");
}
}
public TTlsSocketTransport(TcpClient client, TConfiguration config,
X509Certificate2 certificate, bool isServer = false,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
: base(config)
{
_client = client;
_certificate = certificate;
_certValidator = certValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
_isServer = isServer;
if (isServer && certificate == null)
{
throw new ArgumentException("TTlsSocketTransport needs certificate to be used for server",
nameof(certificate));
}
if (IsOpen)
{
InputStream = client.GetStream();
OutputStream = client.GetStream();
}
}
/// <summary>
/// Creates a new instance of the TlsaStream class
/// </summary>
/// <param name="innerStream">The underlying stream on which the encrypted stream should work</param>
/// <param name="resolver">A DNSSEC resolver to get the TLSA records</param>
/// <param name="enforceTlsaValidation">If true, the use of TLSA records is enforced</param>
/// <param name="leaveInnerStreamOpen">If true, the underlying stream will not be closed when this instance is closed</param>
/// <param name="userCertificateSelectionCallback">
/// A callback to select client certificates to authenticate the client to
/// the server
/// </param>
public DaneStream(Stream innerStream, IDnsSecResolver resolver, bool enforceTlsaValidation = false, bool leaveInnerStreamOpen = false, LocalCertificateSelectionCallback userCertificateSelectionCallback = null)
: base(innerStream, leaveInnerStreamOpen)
{
_resolver = resolver;
_enforceTlsaValidation = enforceTlsaValidation;
_sslStream = new SslStream(innerStream, leaveInnerStreamOpen, ValidateRemoteCertificate, userCertificateSelectionCallback);
}
/// <summary>
/// Enables SSL/TLS 1.2.
/// </summary>
/// <remarks> Registers the <see cref="Session.TlsCertificateValidationCallback"/>
/// and <see cref="Session.TlsCertificateSelectionCallback"/> with the
/// SslStream, optionally gets a client side SSL certificate from the local
/// certificate store, then authenticates the connection. </remarks>
private void EnableTls()
{
RemoteCertificateValidationCallback validationCallback =
new RemoteCertificateValidationCallback(session.TlsCertificateValidationCallback);
LocalCertificateSelectionCallback selectionCallback =
new LocalCertificateSelectionCallback(session.TlsCertificateSelectionCallback);
SslStream sslStream = new SslStream(
session.Stream, true, validationCallback, selectionCallback, EncryptionPolicy.RequireEncryption);
session.Stream = sslStream;
X509Certificate2 certificate = Session.GetCertificateFromStore(
string.Format("CN={0}", ServerConfiguration.TlsConfiguration.Certificate));
X509CertificateCollection certificates = new X509CertificateCollection();
if (certificate != null)
{
certificates.Add(certificate);
}
((SslStream)session.Stream).AuthenticateAsClient(
ServerConfiguration.Host, certificates, SslProtocols.Tls, ServerConfiguration.TlsConfiguration.CheckCertificateRevocation);
}
public MqttNetworkChannel(string remoteHostName, int remotePort, bool secure, X509Certificate caCert, X509Certificate clientCert, MqttSslProtocols sslProtocol, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback)
{
IPAddress ipAddress = (IPAddress)null;
try
{
ipAddress = IPAddress.Parse(remoteHostName);
}
catch
{
}
if (ipAddress == null)
{
IPHostEntry hostEntry = Dns.GetHostEntry(remoteHostName);
if (hostEntry == null || (uint)hostEntry.AddressList.Length <= 0U)
{
throw new Exception("No address found for the remote host name");
}
int index = 0;
while (hostEntry.AddressList[index] == null)
{
checked { ++index; }
}
ipAddress = hostEntry.AddressList[index];
}
this.remoteHostName = remoteHostName;
this.remoteIpAddress = ipAddress;
this.remotePort = remotePort;
this.secure = secure;
this.caCert = caCert;
this.clientCert = clientCert;
this.sslProtocol = sslProtocol;
this.userCertificateValidationCallback = userCertificateValidationCallback;
this.userCertificateSelectionCallback = userCertificateSelectionCallback;
}
public RedisManagerSettings(HashSet <RedisEndPoint> endPoints,
RedisManagerType managerType = RedisManagerType.MasterSlave,
string masterName = null,
string password = null,
string clientName = null,
int connectionTimeout = RedisConstants.DefaultConnectionTimeout,
int receiveTimeout = RedisConstants.DefaultReceiveTimeout,
int sendTimeout = RedisConstants.DefaultSendTimeout,
int maxConnectionCount = RedisConstants.DefaultMaxConnectionCount,
int connectionWaitTimeout = RedisConstants.DefaultWaitTimeout,
int connectionIdleTimeout = RedisConstants.DefaultIdleTimeout,
int readBufferSize = 0,
int writeBufferSize = 0,
bool heartBeatEnabled = true,
int hearBeatIntervalInSecs = RedisConstants.DefaultHeartBeatIntervalSecs,
bool useAsyncCompleter = true,
bool useSlaveAsMasterIfNoMasterFound = false,
bool useSsl = false,
LocalCertificateSelectionCallback sslCertificateSelection = null,
RemoteCertificateValidationCallback sslCertificateValidation = null)
: this(ToEndPointList(endPoints), managerType, masterName, password, clientName, connectionTimeout, receiveTimeout,
sendTimeout, maxConnectionCount, connectionWaitTimeout, connectionIdleTimeout, readBufferSize, writeBufferSize,
heartBeatEnabled, hearBeatIntervalInSecs, useAsyncCompleter, useSlaveAsMasterIfNoMasterFound, useSsl,
sslCertificateSelection, sslCertificateValidation)
{
}
public TTlsServerSocketTransport(
int port,
bool useBufferedSockets,
bool useFramedTransport,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
{
if (!certificate.HasPrivateKey)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown,
"Your server-certificate needs to have a private key");
}
_port = port;
_serverCertificate = certificate;
_useBufferedSockets = useBufferedSockets;
_useFramedTransport = useFramedTransport;
_clientCertValidator = clientCertValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
try
{
// Create server socket
_server = new TcpListener(IPAddress.Any, _port);
_server.Server.NoDelay = true;
}
catch (Exception)
{
_server = null;
throw new TTransportException($"Could not create ServerSocket on port {port}.");
}
}
internal bool SecureExistingConnection(Session oS, string sCertCN, string sClientCertificateFilename, string sPoolingKey, ref int iHandshakeTime)
{
RemoteCertificateValidationCallback userCertificateValidationCallback = null;
LocalCertificateSelectionCallback userCertificateSelectionCallback = null;
Stopwatch stopwatch = Stopwatch.StartNew();
try
{
this.sPoolKey = sPoolingKey;
X509CertificateCollection certificateCollectionFromFile = this.GetCertificateCollectionFromFile(sClientCertificateFilename);
if (userCertificateValidationCallback == null)
{
userCertificateValidationCallback = delegate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) {
return(ConfirmServerCertificate(oS, sCertCN, certificate, chain, sslPolicyErrors));
};
}
if (userCertificateSelectionCallback == null)
{
userCertificateSelectionCallback = delegate(object sender, string targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, string[] acceptableIssuers) {
return(this.AttachClientCertificate(oS, sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers));
};
}
base._httpsStream = new SslStream(new NetworkStream(base._baseSocket, false), false, userCertificateValidationCallback, userCertificateSelectionCallback);
base._httpsStream.AuthenticateAsClient(sCertCN, certificateCollectionFromFile, Browser.oAcceptedServerHTTPSProtocols, SDVPApplication.Prefs.GetBoolPref("SDVP.https.checkcertificaterevocation", false));
iHandshakeTime = (int)stopwatch.ElapsedMilliseconds;
}
catch (Exception exception)
{
iHandshakeTime = (int)stopwatch.ElapsedMilliseconds;
SDVPApplication.DebugSpew(exception.StackTrace + "\n" + exception.Message);
return(false);
}
return(true);
}
/// <summary>
/// Upgrade a Tcp stream to an Ssl stream using the TLS options provided.
/// </summary>
public static Stream TcpUpgrade(Stream tcpStream, SslOption options)
{
var helper = new SslHelper(options);
RemoteCertificateValidationCallback remoteCertValidator =
options.CertificateValidationCallback ?? helper.CertificateValidationCallback;
LocalCertificateSelectionCallback localCertSelector =
options.CertificateSelectionCallback ?? helper.CertificateSelectionCallback;
var sslStream = new SslStream(tcpStream, false, remoteCertValidator, localCertSelector);
void TryAuthenticating(SslOption opts)
{
sslStream.AuthenticateAsClientAsync(opts.ServerName, opts.Certs, opts.Version,
opts.CheckCertificateRevocation).GetAwaiter().GetResult();
}
try
{
TryAuthenticating(options);
}
catch (ArgumentException e) when(e.ParamName == "sslProtocolType" && options.Version == SslProtocols.None)
{
// SslProtocols.None is dysfunctional in this environment, possibly due to TLS version restrictions
// in the app context, system or .NET version-specific behavior. See rabbitmq/rabbitmq-dotnet-client#764
// for background.
options.UseFallbackTlsVersions();
TryAuthenticating(options);
}
return(sslStream);
}
/// <summary>
/// Constructs the factory for the case where server identity and also the client identity can be verifyied.
/// </summary>
/// <param name="hostName">The host the client wants to communicate with. The host name must match with the certificate name.</param>
/// <param name="certificates">List of certificates provided by the client. If null, the client is not verified.</param>
/// <param name="userCertificateValidationCallback">User provided delegate for validating the certificate supplied by the remote party.</param>
/// <param name="userCertificateSelectionCallback">User provided delegate for selecting the certificate used for authentication.</param>
public ClientSslFactory(string hostName,
X509CertificateCollection certificates,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
{
using (EneterTrace.Entering())
{
if (string.IsNullOrEmpty(hostName))
{
string anError = TracedObject + "failed in constructor because the input parameter 'hostName' was null or empty.";
EneterTrace.Error(anError);
throw new ArgumentException(anError);
}
AcceptedProtocols = SslProtocols.Ssl3 | SslProtocols.Tls;
#if NETSTANDARD || NET472
AcceptedProtocols |= SslProtocols.Tls11 | SslProtocols.Tls12;
#endif
#if MONOANDROID || XAMARIN_IOS
AcceptedProtocols |= SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
#endif
myHostName = hostName;
myCertificates = certificates;
myUserCertificateValidationCallback = userCertificateValidationCallback;
myUserCertificateSelectionCallback = userCertificateSelectionCallback;
}
}
internal bool SecureExistingConnection(Session oS, string sCertCN, string sClientCertificateFilename, string sPoolingKey, ref int iHandshakeTime)
{
RemoteCertificateValidationCallback userCertificateValidationCallback = null;
LocalCertificateSelectionCallback userCertificateSelectionCallback = null;
Stopwatch stopwatch = Stopwatch.StartNew();
try
{
this.sPoolKey = sPoolingKey;
X509CertificateCollection certificateCollectionFromFile = this.GetCertificateCollectionFromFile(sClientCertificateFilename);
if (userCertificateValidationCallback == null)
{
userCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => ConfirmServerCertificate(oS, sCertCN, certificate, chain, sslPolicyErrors);
}
if (userCertificateSelectionCallback == null)
{
userCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) => this.AttachClientCertificate(oS, sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers);
}
base._httpsStream = new SslStream(new NetworkStream(base._baseSocket, false), false, userCertificateValidationCallback, userCertificateSelectionCallback);
base._httpsStream.AuthenticateAsClient(sCertCN, certificateCollectionFromFile, CONFIG.oAcceptedServerHTTPSProtocols, false);
iHandshakeTime = (int)stopwatch.ElapsedMilliseconds;
}
catch (Exception exception)
{
iHandshakeTime = (int)stopwatch.ElapsedMilliseconds;
FiddlerApplication.DebugSpew(exception.StackTrace + "\n" + exception.Message);
FiddlerApplication.Log.LogFormat("fiddler.network.https> Failed to secure existing connection for {0}. {1}{2}", new object[] { sCertCN, exception.Message, (exception.InnerException != null) ? (" InnerException: " + exception.InnerException.ToString()) : "." });
return(false);
}
return(true);
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSServerSocket" /> class.
/// </summary>
/// <param name="port">The port where the server runs.</param>
/// <param name="clientTimeout">Send/receive timeout.</param>
/// <param name="useBufferedSockets">If set to <c>true</c> [use buffered sockets].</param>
/// <param name="certificate">The certificate object.</param>
/// <param name="clientCertValidator">The certificate validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
public TTLSServerSocket(
int port,
int clientTimeout,
bool useBufferedSockets,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
{
if (!certificate.HasPrivateKey)
{
throw new TTransportException(TTransportException.ExceptionType.Unknown, "Your server-certificate needs to have a private key");
}
this.port = port;
this.serverCertificate = certificate;
this.useBufferedSockets = useBufferedSockets;
this.clientCertValidator = clientCertValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
try
{
// Create server socket
server = new TcpListener(System.Net.IPAddress.Any, this.port);
server.Server.NoDelay = true;
}
catch (Exception)
{
server = null;
throw new TTransportException("Could not create ServerSocket on port " + port + ".");
}
}
public SslStream(Stream innerStream, bool leaveStreamOpen, RemoteCertificateValidationCallback certValidationCallback, LocalCertificateSelectionCallback certSelectionCallback)
: base(innerStream, leaveStreamOpen)
{
// they are nullable.
validation_callback = certValidationCallback;
selection_callback = certSelectionCallback;
}
public async Task SslStream_StreamToStream_DuplicateOptions_Throws()
{
RemoteCertificateValidationCallback rCallback = (sender, certificate, chain, errors) => { return(true); };
LocalCertificateSelectionCallback lCallback = (sender, host, localCertificates, remoteCertificate, issuers) => { return(null); };
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (var client = new SslStream(clientStream, false, rCallback, lCallback, EncryptionPolicy.RequireEncryption))
using (var server = new SslStream(serverStream, false, rCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
serverOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
Task t1 = Assert.ThrowsAsync <InvalidOperationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <InvalidOperationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
static XLocalCertificateSelectionCallback ConvertCallback(LocalCertificateSelectionCallback callback)
{
if (callback == null)
{
return(null);
}
return((s, t, lc, rc, ai) => callback(s, t, lc, rc, ai));
}
///<summary>Construct an SslOption specifying both the server cannonical name
///and the client's certificate path.
///</summary>
public SslOption(string serverName, string certPath, bool enabled)
{
m_serverName = serverName;
m_certPath = certPath;
m_enabled = enabled;
CertificateValidationCallback = null;
CertificateSelectionCallback = null;
}
public SslMllpNetworkSream(
Stream innerStream,
bool leaveInnerStreamOpen,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base(
innerStream, leaveInnerStreamOpen, userCertificateValidationCallback, userCertificateSelectionCallback)
{
}
internal static MSI.MonoLocalCertificateSelectionCallback PublicToMono(LocalCertificateSelectionCallback callback)
{
if (callback == null)
{
return(null);
}
return((t, lc, rc, ai) => callback(null, t, (XX509CertificateCollection)(object)lc, rc, ai));
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="host">The host, where the socket should connect to.</param>
/// <param name="port">The port.</param>
/// <param name="certificatePath">The certificate path.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
public TTLSSocket(
string host,
int port,
string certificatePath,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
: this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="host">The host, where the socket should connect to.</param>
/// <param name="port">The port.</param>
/// <param name="certificate">The certificate.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
public TTLSSocket(
string host,
int port,
X509Certificate certificate,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
: this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback)
{
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="brokerHostName">Broker Host Name or IP Address</param>
/// <param name="brokerPort">Broker port</param>
/// <param name="caCert">CA certificate for secure connection</param>
/// <param name="clientCert">Client certificate</param>
/// <param name="sslProtocol">SSL/TLS protocol version</param>
/// <param name="userCertificateValidationCallback">A RemoteCertificateValidationCallback delegate responsible for validating the certificate supplied by the remote party</param>
/// <param name="userCertificateSelectionCallback">A LocalCertificateSelectionCallback delegate responsible for selecting the certificate used for authentication</param>
public MqttSecureClient(string brokerHostName, int brokerPort, X509Certificate caCert, X509Certificate clientCert, MqttSslProtocol sslProtocol,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base(brokerHostName, brokerPort, true)
{
this.settings.Port = MqttSettings.MQTT_BROKER_DEFAULT_PORT;
this.settings.SslPort = this.brokerPort;
this.InitSecureChannel(caCert, clientCert, sslProtocol, userCertificateValidationCallback, userCertificateSelectionCallback);
}
public TLSStream(Stream innerStream,
bool leaveInnerStreamOpen,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base(innerStream, leaveInnerStreamOpen)
{
_validationCallback = userCertificateValidationCallback;
_selectionCallback = userCertificateSelectionCallback;
}
public DotNetSslStreamImpl (
Stream innerStream, bool leaveInnerStreamOpen,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
{
impl = new SslStream (
innerStream, leaveInnerStreamOpen,
userCertificateValidationCallback,
userCertificateSelectionCallback);
}
public TTlsSocketClientTransport(IPAddress host, int port, string certificatePath,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
: this(host, port, 0,
new X509Certificate2(certificatePath),
certValidator,
localCertificateSelectionCallback,
sslProtocols)
{
}
public DotNetSslStreamImpl (
Stream innerStream, bool leaveInnerStreamOpen, DotNetTlsProvider provider,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
{
this.provider = provider;
impl = new SslStream (
innerStream, leaveInnerStreamOpen,
userCertificateValidationCallback,
userCertificateSelectionCallback);
}
public SslStream(
NetworkStream innerStream,
bool leaveInnerStreamOpen,
RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base(innerStream,
leaveInnerStreamOpen,
userCertificateValidationCallback,
userCertificateSelectionCallback)
{
}
public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy) : base(innerStream, leaveInnerStreamOpen)
{
if (((encryptionPolicy != EncryptionPolicy.RequireEncryption) && (encryptionPolicy != EncryptionPolicy.AllowNoEncryption)) && (encryptionPolicy != EncryptionPolicy.NoEncryption))
{
throw new ArgumentException(SR.GetString("net_invalid_enum", new object[] { "EncryptionPolicy" }), "encryptionPolicy");
}
this._userCertificateValidationCallback = userCertificateValidationCallback;
this._userCertificateSelectionCallback = userCertificateSelectionCallback;
RemoteCertValidationCallback certValidationCallback = new RemoteCertValidationCallback(this.userCertValidationCallbackWrapper);
LocalCertSelectionCallback certSelectionCallback = (userCertificateSelectionCallback == null) ? null : new LocalCertSelectionCallback(this.userCertSelectionCallbackWrapper);
this._SslState = new SslState(innerStream, certValidationCallback, certSelectionCallback, encryptionPolicy);
}
// constructors
/// <summary>
/// Initializes a new instance of the <see cref="SslStreamSettings"/> class.
/// </summary>
/// <param name="checkCertificateRevocation">Whether to check for certificate revocation.</param>
/// <param name="clientCertificates">The client certificates.</param>
/// <param name="clientCertificateSelectionCallback">The client certificate selection callback.</param>
/// <param name="enabledProtocols">The enabled protocols.</param>
/// <param name="serverCertificateValidationCallback">The server certificate validation callback.</param>
public SslStreamSettings(
Optional<bool> checkCertificateRevocation = default(Optional<bool>),
Optional<IEnumerable<X509Certificate>> clientCertificates = default(Optional<IEnumerable<X509Certificate>>),
Optional<LocalCertificateSelectionCallback> clientCertificateSelectionCallback = default(Optional<LocalCertificateSelectionCallback>),
Optional<SslProtocols> enabledProtocols = default(Optional<SslProtocols>),
Optional<RemoteCertificateValidationCallback> serverCertificateValidationCallback = default(Optional<RemoteCertificateValidationCallback>))
{
_checkCertificateRevocation = checkCertificateRevocation.WithDefault(true);
_clientCertificates = Ensure.IsNotNull(clientCertificates.WithDefault(Enumerable.Empty<X509Certificate>()), "clientCertificates").ToList();
_clientCertificateSelectionCallback = clientCertificateSelectionCallback.WithDefault(null);
_enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);
_serverCertificateValidationCallback = serverCertificateValidationCallback.WithDefault(null);
}
public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback,
LocalCertificateSelectionCallback userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy)
: base(innerStream, leaveInnerStreamOpen)
{
if (encryptionPolicy != EncryptionPolicy.RequireEncryption && encryptionPolicy != EncryptionPolicy.AllowNoEncryption && encryptionPolicy != EncryptionPolicy.NoEncryption)
{
throw new ArgumentException(SR.Format(SR.net_invalid_enum, "EncryptionPolicy"), nameof(encryptionPolicy));
}
_userCertificateValidationCallback = userCertificateValidationCallback;
_userCertificateSelectionCallback = userCertificateSelectionCallback;
RemoteCertValidationCallback _userCertValidationCallbackWrapper = new RemoteCertValidationCallback(UserCertValidationCallbackWrapper);
LocalCertSelectionCallback _userCertSelectionCallbackWrapper = userCertificateSelectionCallback == null ? null : new LocalCertSelectionCallback(UserCertSelectionCallbackWrapper);
_sslState = new SslState(innerStream, _userCertValidationCallbackWrapper, _userCertSelectionCallbackWrapper, encryptionPolicy);
}
public void open()
{
try {
X509Store store = new X509Store(StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509CertificateCollection certificates = new X509CertificateCollection();
certificates.AddRange(store.Certificates);
client = new TcpClient();
client.Connect("gateway.sandbox.push.apple.com", 2195);
LocalCertificateSelectionCallback localCallBack = new LocalCertificateSelectionCallback(APNSLocalCert.SelectLocalCertificate);
stream = new SslStream(client.GetStream(), false, (sender, cert, chain, sslPolicyErrors) => true, localCallBack);
stream.AuthenticateAsClient("gateway.sandbox.push.apple.com", certificates, System.Security.Authentication.SslProtocols.Tls, false);
} catch (Exception ex) { Console.Write(ex.Message); }
}
// constructors
/// <summary>
/// Initializes a new instance of the <see cref="SslStreamSettings"/> class.
/// </summary>
/// <param name="checkCertificateRevocation">Whether to check for certificate revocation.</param>
/// <param name="clientCertificates">The client certificates.</param>
/// <param name="clientCertificateSelectionCallback">The client certificate selection callback.</param>
/// <param name="enabledProtocols">The enabled protocols.</param>
/// <param name="serverCertificateValidationCallback">The server certificate validation callback.</param>
public SslStreamSettings(
Optional<bool> checkCertificateRevocation = default(Optional<bool>),
Optional<IEnumerable<X509Certificate>> clientCertificates = default(Optional<IEnumerable<X509Certificate>>),
Optional<LocalCertificateSelectionCallback> clientCertificateSelectionCallback = default(Optional<LocalCertificateSelectionCallback>),
Optional<SslProtocols> enabledProtocols = default(Optional<SslProtocols>),
Optional<RemoteCertificateValidationCallback> serverCertificateValidationCallback = default(Optional<RemoteCertificateValidationCallback>))
{
_checkCertificateRevocation = checkCertificateRevocation.WithDefault(true);
_clientCertificates = Ensure.IsNotNull(clientCertificates.WithDefault(Enumerable.Empty<X509Certificate>()), "clientCertificates").ToList();
_clientCertificateSelectionCallback = clientCertificateSelectionCallback.WithDefault(null);
#if NETSTANDARD1_6
#pragma warning disable 618
_enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls | SslProtocols.Ssl3);
#pragma warning restore
#else
_enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Default);
#endif
_serverCertificateValidationCallback = serverCertificateValidationCallback.WithDefault(null);
}
public TTlsSocketClientTransport(TcpClient client, X509Certificate2 certificate, bool isServer = false,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls12)
{
_client = client;
_certificate = certificate;
_certValidator = certValidator;
_localCertificateSelectionCallback = localCertificateSelectionCallback;
_sslProtocols = sslProtocols;
_isServer = isServer;
if (isServer && certificate == null)
{
throw new ArgumentException("TTlsSocketClientTransport needs certificate to be used for server",
"certificate");
}
if (IsOpen)
{
InputStream = client.GetStream();
OutputStream = client.GetStream();
}
}
public SslStream (Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy)
: this (innerStream, leaveInnerStreamOpen, userCertificateValidationCallback, userCertificateSelectionCallback)
{
}
public static Stream CreateClientSslStream(ConnectionBase connection,
Stream baseStream,
X509Certificate2Collection clientCertificates,
RemoteCertificateValidationCallback serverCertificateValidationCallback,
LocalCertificateSelectionCallback clientCertificateSelectionCallback)
{
var sslStream = new SslStream(baseStream,
false,
serverCertificateValidationCallback,
clientCertificateSelectionCallback);
try {
sslStream.AuthenticateAsClient(connection.host,
clientCertificates,
SslProtocols.Default,
true);
return sslStream;
}
catch (AuthenticationException) {
sslStream.Close();
throw;
}
}
static XLocalCertificateSelectionCallback ConvertCallback (LocalCertificateSelectionCallback callback)
{
if (callback == null)
return null;
return (s, t, lc, rc, ai) => callback (s, t, lc, rc, ai);
}
public SslStream (Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base (innerStream, leaveInnerStreamOpen)
{
provider = GetProvider ();
var settings = MonoTlsSettings.CopyDefaultSettings ();
settings.RemoteCertificateValidationCallback = MNS.Private.CallbackHelpers.PublicToMono (userCertificateValidationCallback);
settings.ClientCertificateSelectionCallback = MNS.Private.CallbackHelpers.PublicToMono (userCertificateSelectionCallback);
impl = provider.CreateSslStream (innerStream, leaveInnerStreamOpen, settings);
}
public InitiateUpgradeAsyncResult(SslStreamSecurityUpgradeInitiator initiator, AsyncCallback callback, object state) : base(callback, state)
{
this.initiator = initiator;
if (initiator.clientToken != null)
{
this.clientCertificates = new X509CertificateCollection();
this.clientCertificates.Add(initiator.clientToken.Certificate);
this.selectionCallback = SslStreamSecurityUpgradeInitiator.ClientCertificateSelectionCallback;
}
}
public SslStream(Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback, EncryptionPolicy encryptionPolicy) : base (default(Stream), default(bool))
{
Contract.Ensures(innerStream.CanWrite == true);
}
/// <summary>
/// Initializes a new instance of the <see cref="TcpServer"/> class.
/// </summary>
/// <param name="configString">Config string of the <see cref="TcpServer"/>. See <see cref="DefaultConfigurationString"/> for format.</param>
public TlsServer(string configString)
: base(TransportProtocol.Tcp, configString)
{
m_defaultCertificateChecker = new SimpleCertificateChecker();
m_localCertificateSelectionCallback = DefaultLocalCertificateSelectionCallback;
#if MONO
// Tls12 is not supported under Mono as of v3.8.0
m_enabledSslProtocols = SslProtocols.Tls;
#else
m_enabledSslProtocols = SslProtocols.Tls12;
#endif
m_checkCertificateRevocation = true;
m_trustedCertificatesPath = DefaultTrustedCertificatesPath;
m_payloadAware = DefaultPayloadAware;
m_payloadMarker = Payload.DefaultMarker;
m_integratedSecurity = DefaultIntegratedSecurity;
m_ignoreInvalidCredentials = DefaultIgnoreInvalidCredentials;
m_allowDualStackSocket = DefaultAllowDualStackSocket;
m_maxSendQueueSize = DefaultMaxSendQueueSize;
m_clientInfoLookup = new ConcurrentDictionary<Guid, TlsClientInfo>();
m_acceptHandler = (sender, args) => ProcessAccept(args);
}
/// <summary>
/// Secures the stream using SSL/TLS.
/// The socket is secured immediately following any pending reads/writes already in the queue.
/// Any reads/writes scheduled after this call will travel over a secure connection.
///
/// Note: You must use the LocalCertificateSelectionCallback to return the required certificate for a server.
///
/// If TLS fails to authenticate, the event WillCloseWithException will fire with the reason.
/// </summary>
/// <param name="rcvc">
/// A RemoteCertificateValidationCallback delegate responsible for
/// validating the certificate supplied by the remote party.
/// Pass null if you don't need this functionality.
/// </param>
/// <param name="lcsc">
/// A LocalCertificateSelectionCallback delegate responsible for
/// selecting the certificate used for authentication.
/// Pass null if you don't need this functionality.
/// </param>
public void StartTLSAsServer(X509Certificate serverCertificate, RemoteCertificateValidationCallback rcvc,
LocalCertificateSelectionCallback lcsc)
{
// Update tls variables - we'll need to refer to these later when we actually start tls
isTLSClient = false;
localCertificate = serverCertificate;
tlsRemoteCallback = rcvc;
tlsLocalCallback = lcsc;
// Inject StartTLS packets into read and write queues.
// Once all pending reads and writes have completed, the StartTLS procedure will commence.
AsyncSpecialPacket startTlsPacket = new AsyncSpecialPacket(true);
readQueue.Enqueue(startTlsPacket);
writeQueue.Enqueue(startTlsPacket);
// Queue calls to MaybeDequeueRead and MaybeDequeueWrite
ThreadPool.QueueUserWorkItem(new WaitCallback(MaybeDequeueRead));
ThreadPool.QueueUserWorkItem(new WaitCallback(MaybeDequeueWrite));
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="host">The host, where the socket should connect to.</param>
/// <param name="port">The port.</param>
/// <param name="certificatePath">The certificate path.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
string certificatePath,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls)
: this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback, sslProtocols)
{
}
public SslStream (Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback)
: base (innerStream, leaveInnerStreamOpen)
{
// they are nullable.
validation_callback = userCertificateValidationCallback;
selection_callback = userCertificateSelectionCallback;
}
/// <summary>
/// Initializes a new instance of the <see cref="TcpServer"/> class.
/// </summary>
/// <param name="configString">Config string of the <see cref="TcpServer"/>. See <see cref="DefaultConfigurationString"/> for format.</param>
public SslServer(string configString)
: base(TransportProtocol.Tcp, configString)
{
m_localCertificateSelectionCallback = DefaultLocalCertificateSelectionCallback;
m_enabledSslProtocols = SslProtocols.None;
m_checkCertificateRevocation = true;
m_payloadAware = DefaultPayloadAware;
m_payloadMarker = Payload.DefaultMarker;
m_allowDualStackSocket = DefaultAllowDualStackSocket;
m_tcpClients = new ConcurrentDictionary<Guid, TransportProvider<SslStream>>();
m_acceptHandler = (sender, args) => ProcessAccept();
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="host">The host, where the socket should connect to.</param>
/// <param name="port">The port.</param>
/// <param name="certificate">The certificate.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
X509Certificate certificate = null,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls)
: this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback, sslProtocols)
{
}
public SslStream(System.IO.Stream innerStream, bool leaveInnerStreamOpen, RemoteCertificateValidationCallback userCertificateValidationCallback, LocalCertificateSelectionCallback userCertificateSelectionCallback)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="client">An already created TCP-client</param>
/// <param name="certificate">The certificate.</param>
/// <param name="isServer">if set to <c>true</c> [is server].</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
TcpClient client,
X509Certificate certificate,
bool isServer = false,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
// TODO: Enable Tls11 and Tls12 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
SslProtocols sslProtocols = SslProtocols.Tls)
{
this.client = client;
this.certificate = certificate;
this.certValidator = certValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
this.sslProtocols = sslProtocols;
this.isServer = isServer;
if (isServer && certificate == null)
{
throw new ArgumentException("TTLSSocket needs certificate to be used for server", "certificate");
}
if (IsOpen)
{
base.inputStream = client.GetStream();
base.outputStream = client.GetStream();
}
}
/// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="host">The host, where the socket should connect to.</param>
/// <param name="port">The port.</param>
/// <param name="timeout">The timeout.</param>
/// <param name="certificate">The certificate.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
int timeout,
X509Certificate certificate,
RemoteCertificateValidationCallback certValidator = null,
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
SslProtocols sslProtocols = SslProtocols.Tls)
{
this.host = host;
this.port = port;
this.timeout = timeout;
this.certificate = certificate;
this.certValidator = certValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
this.sslProtocols = sslProtocols;
InitSocket();
}
