public async Task SslStream_ServerEKUClientAuth_Fails()
{
var serverOptions = new HttpsTestServer.Options();
serverOptions.ServerCertificate = serverCertificateServerEku;
serverOptions.RequireClientAuthentication = true;
using (var server = new HttpsTestServer(serverOptions))
{
server.Start();
var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port));
clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false);
clientOptions.ClientCertificate = clientCertificateWrongEku;
var client = new HttpsTestClient(clientOptions);
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
tasks[1] = client.HttpsRequestAsync();
await Assert.ThrowsAsync <AuthenticationException>(() => tasks[0]);
if (OperatingSystem.IsWindows())
{
// IOException is thrown when trying to read from a disconnected socket.
await Assert.ThrowsAsync <IOException>(() => tasks[1]);
}
else
{
// Zero bytes read by client on disconnected socket.
await Assert.ThrowsAsync <InvalidOperationException>(() => tasks[1]);
}
}
}
public async Task SslStream_SelfSignedClientEKUClientAuth_Ok()
{
var serverOptions = new HttpsTestServer.Options();
serverOptions.ServerCertificate = serverCertificateServerEku;
serverOptions.RequireClientAuthentication = true;
serverOptions.IgnoreSslPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors;
using (var server = new HttpsTestServer(serverOptions))
{
server.Start();
var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port));
clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false);
clientOptions.ClientCertificate = Configuration.Certificates.GetSelfSignedClientCertificate();
var client = new HttpsTestClient(clientOptions);
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
tasks[1] = client.HttpsRequestAsync();
await Task.WhenAll(tasks).WaitAsync(TimeSpan.FromMilliseconds(TestTimeoutMilliseconds));
}
}
public async Task HttpClient_ServerEKUClientAuth_Fails()
{
var options = new HttpsTestServer.Options();
options.ServerCertificate = serverCertificateServerEku;
options.RequireClientAuthentication = true;
using (var server = new HttpsTestServer(options))
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
{
server.Start();
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
string requestUriString = GetUriStringAndConfigureHandler(options, server, handler);
handler.ClientCertificates.Add(clientCertificateWrongEku);
tasks[1] = client.GetStringAsync(requestUriString);
// Server aborts the TCP channel.
await Assert.ThrowsAsync <HttpRequestException>(() => tasks[1]);
await Assert.ThrowsAsync <AuthenticationException>(() => tasks[0]);
}
}
private string GetUriStringAndConfigureHandler(HttpsTestServer.Options options, HttpsTestServer server, HttpClientHandler handler)
{
if (Capability.AreHostsFileNamesInstalled())
{
string hostName =
(new UriBuilder("https", options.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false), server.Port)).ToString();
Console.WriteLine("[E2E testing] - Using hostname {0}", hostName);
return(hostName);
}
else
{
handler.ServerCertificateCustomValidationCallback = AllowRemoteCertificateNameMismatch;
return("https://localhost:" + server.Port.ToString());
}
}
public async Task HttpClient_ClientEKUServerAuth_Fails()
{
var options = new HttpsTestServer.Options();
options.ServerCertificate = serverCertificateWrongEku;
using (var server = new HttpsTestServer(options))
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
{
server.Start();
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
string requestUriString = GetUriStringAndConfigureHandler(options, server, handler);
tasks[1] = client.GetStringAsync(requestUriString);
await Assert.ThrowsAsync <HttpRequestException>(() => tasks[1]);
}
}
public async Task HttpClient_NoEKUServerAuth_Ok()
{
var options = new HttpsTestServer.Options();
options.ServerCertificate = serverCertificateNoEku;
using (var server = new HttpsTestServer(options))
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
{
server.Start();
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
string requestUriString = GetUriStringAndConfigureHandler(options, server, handler);
tasks[1] = client.GetStringAsync(requestUriString);
await tasks.WhenAllOrAnyFailed(TestTimeoutMilliseconds);
}
}
public async Task SslStream_ClientEKUServerAuth_Fails()
{
var serverOptions = new HttpsTestServer.Options();
serverOptions.ServerCertificate = serverCertificateWrongEku;
using (var server = new HttpsTestServer(serverOptions))
{
server.Start();
var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port));
clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false);
var client = new HttpsTestClient(clientOptions);
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
tasks[1] = client.HttpsRequestAsync();
var exception = await Assert.ThrowsAsync <AuthenticationException>(() => tasks[1]);
}
}
public async Task SslStream_NoEKUServerAuth_Ok()
{
var serverOptions = new HttpsTestServer.Options();
serverOptions.ServerCertificate = serverCertificateNoEku;
using (var server = new HttpsTestServer(serverOptions))
{
server.Start();
var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port));
clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false);
var client = new HttpsTestClient(clientOptions);
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
tasks[1] = client.HttpsRequestAsync();
await Task.WhenAll(tasks).WaitAsync(TimeSpan.FromMilliseconds(TestTimeoutMilliseconds));
}
}
public async Task HttpClient_NoEKUClientAuth_Ok()
{
var options = new HttpsTestServer.Options();
options.ServerCertificate = serverCertificateServerEku;
options.RequireClientAuthentication = true;
using (var server = new HttpsTestServer(options))
using (var handler = new HttpClientHandler())
using (var client = new HttpClient(handler))
{
server.Start();
var tasks = new Task[2];
tasks[0] = server.AcceptHttpsClientAsync();
string requestUriString = GetUriStringAndConfigureHandler(options, server, handler);
handler.ClientCertificates.Add(clientCertificateNoEku);
tasks[1] = client.GetStringAsync(requestUriString);
await Task.WhenAll(tasks).TimeoutAfter(TestTimeoutMilliseconds);
}
}
public async Task HttpClient_ClientUsesAuxRecord_Ok()
{
var options = new HttpsTestServer.Options();
options.AllowedProtocols = SslProtocols.Tls;
using (var server = new HttpsTestServer(options))
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
{
handler.ServerCertificateCustomValidationCallback = TestHelper.AllowAllCertificates;
server.Start();
var tasks = new Task[2];
bool serverAuxRecordDetected = false;
bool serverAuxRecordDetectedInconclusive = false;
int serverTotalBytesReceived = 0;
int serverChunks = 0;
tasks[0] = server.AcceptHttpsClientAsync((requestString) =>
{
serverTotalBytesReceived += requestString.Length;
if (serverTotalBytesReceived == 1 && serverChunks == 0)
{
serverAuxRecordDetected = true;
}
serverChunks++;
// Test is inconclusive if any non-CBC cipher is used:
if (server.Stream.CipherAlgorithm == CipherAlgorithmType.None ||
server.Stream.CipherAlgorithm == CipherAlgorithmType.Null ||
server.Stream.CipherAlgorithm == CipherAlgorithmType.Rc4)
{
serverAuxRecordDetectedInconclusive = true;
}
if (serverTotalBytesReceived < 5)
{
return(Task.FromResult <string>(null));
}
else
{
return(Task.FromResult(HttpsTestServer.Options.DefaultResponseString));
}
});
string requestUriString = "https://localhost:" + server.Port.ToString();
tasks[1] = client.GetStringAsync(requestUriString);
await tasks.WhenAllOrAnyFailed(15 * 1000);
if (serverAuxRecordDetectedInconclusive)
{
_output.WriteLine("Test inconclusive: The Operating system preferred a non-CBC or Null cipher.");
}
else
{
Assert.True(serverAuxRecordDetected, "Server reports: Client auxiliary record not detected.");
}
}
}
