public async Task Tls_Mutual_CanAuthenticate()
{
var serverTlsConfig = new EpoxyServerTlsConfig(
testServerCert,
checkCertificateRevocation: false,
clientCertificateRequired: true,
remoteCertificateValidationCallback: EnsureRootedWithTestCertificate
);
var clientTlsConfig = new EpoxyClientTlsConfig(
certificate: testClientCert,
checkCertificateRevocation: false,
remoteCertificateValidationCallback: EnsureRootedWithTestCertificate);
var transport = new EpoxyTransportBuilder()
.SetResolver(ResolveEverythingToLocalhost)
.SetServerTlsConfig(serverTlsConfig)
.SetClientTlsConfig(clientTlsConfig)
.Construct();
transports.Add(transport);
var listener = transport.MakeListener(new IPEndPoint(IPAddress.Loopback, EpoxyTransport.DefaultSecurePort));
listener.AddService(new DummyTestService());
await listener.StartAsync();
EpoxyConnection clientConnection = await transport.ConnectToAsync("epoxys://bond-test-server1");
var proxy = new DummyTestProxy <EpoxyConnection>(clientConnection);
await AssertRequestResponseWorksAsync(proxy);
}
public async Task Tls_ServerBadCert_ConnectionFails()
{
var serverTlsConfig = new EpoxyServerTlsConfig(testServerCert, checkCertificateRevocation: false);
var serverTransport =
new EpoxyTransportBuilder().SetServerTlsConfig(serverTlsConfig)
.Construct();
transports.Add(serverTransport);
var listener = serverTransport.MakeListener(new IPEndPoint(IPAddress.Loopback, EpoxyTransport.DefaultSecurePort));
listener.AddService(new DummyTestService());
await listener.StartAsync();
var clientTlsConfig = new EpoxyClientTlsConfig(
checkCertificateRevocation: false,
// Intentionally set this to null so that the client gets an
// invalid certificate. If this test passes on your machine,
// it's probably because you've installed the Bond test root
// certificate as a trusted root. This certificate cannot be
// trusted, so you should uninstall it.
remoteCertificateValidationCallback: null);
var clientTransport = new EpoxyTransportBuilder()
.SetResolver(ResolveEverythingToLocalhost)
.SetClientTlsConfig(clientTlsConfig)
.Construct();
transports.Add(clientTransport);
Assert.Throws <AuthenticationException>(async() => await clientTransport.ConnectToAsync("epoxys://bond-test-server1"));
}
public async Task Tls_MutualNoClientCert_ProxyDoesNotWork()
{
var serverTlsConfig = new EpoxyServerTlsConfig(
testServerCert,
checkCertificateRevocation: false,
clientCertificateRequired: true,
remoteCertificateValidationCallback: EnsureRootedWithTestCertificate
);
var clientTlsConfig = new EpoxyClientTlsConfig(certificate: null,
checkCertificateRevocation: false,
remoteCertificateValidationCallback: EnsureRootedWithTestCertificate);
var transport = new EpoxyTransportBuilder()
.SetResolver(ResolveEverythingToLocalhost)
.SetServerTlsConfig(serverTlsConfig)
.SetClientTlsConfig(clientTlsConfig)
.Construct();
listener = transport.MakeListener(new IPEndPoint(IPAddress.Loopback, EpoxyTransport.DefaultSecurePort));
listener.AddService(new DummyTestService());
await listener.StartAsync();
try
{
// The .NET SslStream implementation currently does not give us
// a way to signal during TLS handshaking that the server is
// rejecting the connection. Instead, we have to RST the
// underlying socket. With Epoxy's current implementation, this
// can't reliably be detected at connection time. So we attempt
// to exercise the connection using a proxy and expect that to fail.
EpoxyConnection clientConnection = await transport.ConnectToAsync("epoxys://bond-test-server1");
var proxy = new DummyTestProxy <EpoxyConnection>(clientConnection);
await AssertRequestResponseWorksAsync(proxy);
}
catch (Exception ex) when(ex is InvalidOperationException || ex is AuthenticationException)
{
// An expected exception type, depending on timing, so pass the
// test.
}
catch (Exception ex)
{
Assert.Fail("Unexpected exception of type {0}: {1}", ex.GetType(), ex);
}
finally
{
await transport.StopAsync();
}
}
static async Task MainAsync(X509Certificate2 serverCertificate)
{
var tlsConfig = new EpoxyServerTlsConfig(serverCertificate);
EpoxyTransport transport = new EpoxyTransportBuilder().SetServerTlsConfig(tlsConfig).Construct();
await StartServiceListenersAsync(transport);
var connection = await transport.ConnectToAsync("epoxys://localhost");
var proxy = new SimpleProxy <EpoxyConnection>(connection);
IMessage <SimpleResult> response = await proxy.SimpleMethodAsync();
PrintResponse(response);
}
