private async Task ClientAsyncSslHelper( EncryptionPolicy encryptionPolicy, SslProtocols clientSslProtocols, SslProtocols serverSslProtocols, RemoteCertificateValidationCallback certificateCallback = null) { _log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols); IPEndPoint endPoint = new IPEndPoint(IPAddress.Loopback, 0); using (var server = new DummyTcpServer(endPoint, encryptionPolicy)) using (var client = new TcpClient()) { server.SslProtocols = serverSslProtocols; // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378 string serverName = TestHelper.GetTestSNIName(nameof(ClientAsyncSslHelper), clientSslProtocols, serverSslProtocols); await client.ConnectAsync(server.RemoteEndPoint.Address, server.RemoteEndPoint.Port); using (SslStream sslStream = new SslStream(client.GetStream(), false, certificateCallback != null ? certificateCallback : AllowAnyServerCertificate, null)) { Task clientAuthTask = sslStream.AuthenticateAsClientAsync(serverName, null, clientSslProtocols, false); await clientAuthTask.WaitAsync(TestConfiguration.PassingTestTimeout); _log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength", server.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength); Assert.True(sslStream.CipherAlgorithm != CipherAlgorithmType.Null, "Cipher algorithm should not be NULL"); Assert.True(sslStream.CipherStrength > 0, "Cipher strength should be greater than 0"); } } }
public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols?clientProtocols, SslProtocols?serverProtocols) { using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate()) using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate()) { // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378 string serverHost = TestHelper.GetTestSNIName(nameof(ClientAndServer_OneOrBothUseDefault_Ok), clientProtocols, serverProtocols); var clientCertificates = new X509CertificateCollection() { clientCertificate }; await TestConfiguration.WhenAllOrAnyFailedWithTimeout( AuthenticateClientAsync(serverHost, clientCertificates, checkCertificateRevocation : false, protocols : clientProtocols), AuthenticateServerAsync(serverCertificate, clientCertificateRequired : true, checkCertificateRevocation : false, protocols : serverProtocols)); if (PlatformDetection.IsWindows && PlatformDetection.WindowsVersion >= 10 && #pragma warning disable 0618 clientProtocols.GetValueOrDefault() != SslProtocols.Default && serverProtocols.GetValueOrDefault() != SslProtocols.Default) #pragma warning restore 0618 { Assert.True( #pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete (_clientStream.SslProtocol == SslProtocols.Tls11 && _clientStream.HashAlgorithm == HashAlgorithmType.Sha1) || #pragma warning restore SYSLIB0039 _clientStream.HashAlgorithm == HashAlgorithmType.Sha256 || _clientStream.HashAlgorithm == HashAlgorithmType.Sha384 || _clientStream.HashAlgorithm == HashAlgorithmType.Sha512, _clientStream.SslProtocol + " " + _clientStream.HashAlgorithm); } } }
private async Task ClientAsyncSslHelper( EncryptionPolicy encryptionPolicy, SslProtocols clientSslProtocols, SslProtocols serverSslProtocols, RemoteCertificateValidationCallback certificateCallback = null) { _log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols); (SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams(); using (client) using (server) { // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378 string serverName = TestHelper.GetTestSNIName(nameof(ClientAsyncSslHelper), clientSslProtocols, serverSslProtocols); Task serverTask = default; try { Task clientTask = client.AuthenticateAsClientAsync(new SslClientAuthenticationOptions { EnabledSslProtocols = clientSslProtocols, RemoteCertificateValidationCallback = AllowAnyServerCertificate, TargetHost = serverName }); serverTask = server.AuthenticateAsServerAsync(new SslServerAuthenticationOptions { EncryptionPolicy = encryptionPolicy, EnabledSslProtocols = serverSslProtocols, ServerCertificate = TestConfiguration.ServerCertificate, CertificateRevocationCheckMode = X509RevocationMode.NoCheck }); await clientTask.WaitAsync(TestConfiguration.PassingTestTimeout); _log.WriteLine("Client authenticated to server with encryption cipher: {0} {1}-bit strength", client.CipherAlgorithm, client.CipherStrength); Assert.True(client.CipherAlgorithm != CipherAlgorithmType.Null, "Cipher algorithm should not be NULL"); Assert.True(client.CipherStrength > 0, "Cipher strength should be greater than 0"); } finally { // make sure we signal server in case of client failures client.Close(); try { await serverTask; } catch (Exception ex) { // We generally don't care about server but can log exception to help diagnose test failures _log.WriteLine(ex.ToString()); } } } }
private async Task ServerAsyncSslHelper( SslProtocols clientSslProtocols, SslProtocols serverSslProtocols, bool expectedToFail = false) { _log.WriteLine( "Server: " + serverSslProtocols + "; Client: " + clientSslProtocols + " expectedToFail: " + expectedToFail); (NetworkStream clientStream, NetworkStream serverStream) = TestHelper.GetConnectedTcpStreams(); using (SslStream sslServerStream = new SslStream( serverStream, false, AllowEmptyClientCertificate)) using (SslStream sslClientStream = new SslStream( clientStream, false, delegate { // Allow any certificate from the server. // Note that simply ignoring exceptions from AuthenticateAsClientAsync() is not enough // because in Mono, certificate validation is performed during the handshake and a failure // would result in the connection being terminated before the handshake completed, thus // making the server-side AuthenticateAsServerAsync() fail as well. return(true); })) { // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378 string serverName = TestHelper.GetTestSNIName(nameof(ServerAsyncSslHelper), clientSslProtocols, serverSslProtocols); _log.WriteLine("Connected on {0} {1} ({2} {3})", clientStream.Socket.LocalEndPoint, clientStream.Socket.RemoteEndPoint, clientStream.Socket.Handle, serverStream.Socket.Handle); _log.WriteLine("client SslStream#{0} server SslStream#{1}", sslClientStream.GetHashCode(), sslServerStream.GetHashCode()); _logVerbose.WriteLine("ServerAsyncAuthenticateTest.AuthenticateAsClientAsync start."); Task clientAuthentication = sslClientStream.AuthenticateAsClientAsync( serverName, null, clientSslProtocols, false); _logVerbose.WriteLine("ServerAsyncAuthenticateTest.AuthenticateAsServerAsync start."); Task serverAuthentication = sslServerStream.AuthenticateAsServerAsync( _serverCertificate, true, serverSslProtocols, false); try { await clientAuthentication.WaitAsync(TestConfiguration.PassingTestTimeout); _logVerbose.WriteLine("ServerAsyncAuthenticateTest.clientAuthentication complete."); } catch (AuthenticationException ex) { // Ignore client-side errors: we're only interested in server-side behavior. _log.WriteLine("Client exception : " + ex); clientStream.Socket.Shutdown(SocketShutdown.Send); } await serverAuthentication.WaitAsync(TestConfiguration.PassingTestTimeout); _logVerbose.WriteLine("ServerAsyncAuthenticateTest.serverAuthentication complete."); _log.WriteLine( "Server({0}) authenticated with encryption cipher: {1} {2}-bit strength", serverStream.Socket.LocalEndPoint, sslServerStream.CipherAlgorithm, sslServerStream.CipherStrength); Assert.True( sslServerStream.CipherAlgorithm != CipherAlgorithmType.Null, "Cipher algorithm should not be NULL"); Assert.True(sslServerStream.CipherStrength > 0, "Cipher strength should be greater than 0"); } }