public override bool ValidateServerCertificate(Uri uri, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (_verifyHostname) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' does not match with host name '{uri.Host}'."); return(false); } } var result = !sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors); if (_useMachineCtx || chain.ChainPolicy.RevocationFlag != _revocationScope || chain.ChainPolicy.RevocationMode != _revocationMode) { result = BuildChain(certificate, chain.ChainPolicy.ExtraStore, out var newChain); if (!result) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' failed validation. Reason: {CertHelper.ChainStatusToText(newChain.ChainStatus)}"); } } return(result); }
/// <summary> /// Callback to validate a server certificate. /// </summary> /// <remarks> /// The default implementation here allows for self-signed certificate within the intranet and /// the local computer otherwise it fails if the server certificate is not kosher. /// </remarks> bool ServerCertificateValidation( object sender, X509Certificate serverCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) || sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { // allow self-signed certificates var z = Zone.CreateFromUrl(((WebRequest)sender).RequestUri.ToString()); if (z.SecurityZone == SecurityZone.Intranet || z.SecurityZone == SecurityZone.MyComputer) { return(true); } } return(false); }
private static bool CheckValidationResult(HttpRequestMessage message, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { bool result = true; if (sslPolicyErrors == SslPolicyErrors.None) { return(result); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { result &= _settings.WillIgnoreSSLCertificate.Value; } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { result &= _settings.WillIgnoreSSLHostname.Value; } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { result = false; } return(result); }
public static int[] GetLdapCertProblems(X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, ILog log = null) { var certificateErrors = new List <int>(); try { if (sslPolicyErrors == SslPolicyErrors.None) { return(certificateErrors.ToArray()); } var expDate = DateTime.Parse(certificate.GetExpirationDateString()).ToUniversalTime(); var utcNow = DateTime.UtcNow; if (expDate < utcNow && expDate.AddDays(1) >= utcNow) { certificateErrors.Add((int)LdapCertificateProblem.CertExpired); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { certificateErrors.Add((int)LdapCertificateProblem.CertMalformed); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { if (log != null) { log.WarnFormat("GetLdapCertProblems: {0}", Enum.GetName(typeof(SslPolicyErrors), LdapCertificateProblem.CertCnNoMatch)); } certificateErrors.Add((int)LdapCertificateProblem.CertCnNoMatch); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { if (log != null) { log.WarnFormat("GetLdapCertProblems: {0}", Enum.GetName(typeof(SslPolicyErrors), LdapCertificateProblem.CertCnNoMatch)); } certificateErrors.Add((int)LdapCertificateProblem.CertUntrustedCa); } } catch (Exception ex) { if (log != null) { log.ErrorFormat("GetLdapCertProblems() failed. Error: {0}", ex); } certificateErrors.Add((int)LdapCertificateProblem.CertUnrecognizedError); } return(certificateErrors.ToArray()); }
private static bool IsValidRemoteParty( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { if (errors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable) || errors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { return(false); } return(true); //TODO }
static bool ServerCertificateCustomValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors policyErrors) { foreach (var element in chain.ChainElements) { Log.Debug("Element name: {0}", element.Certificate.SubjectName.Name); Log.Debug("Element issuer name: {0}", element.Certificate.Issuer); Log.Debug("Element certificate valid until: {0}", element.Certificate.NotAfter); Log.Debug("Element certificate is valid: {0}", element.Certificate.Verify()); Log.Debug("Element error status length: {0}", element.ChainElementStatus.Length); Log.Debug("Element information: {0}", element.Information); Log.Debug("Number of element extensions: {0}", element.Certificate.Extensions.Count); Log.Debug("Number of ChainElementStatuses: {0}", element.ChainElementStatus.Length); if (element.ChainElementStatus.Length > 0) { for (int index = 0; index < element.ChainElementStatus.Length; index++) { Log.Debug("{0}: {1}", element.ChainElementStatus[index].Status, element.ChainElementStatus[index].StatusInformation); } } Console.WriteLine(Environment.NewLine); } if (policyErrors == SslPolicyErrors.None) { Log.Debug("No TLS Policy Errors."); return(true); } if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { Log.Debug("TLS Policy Chain Errors"); foreach (var status in chain.ChainStatus) { Log.Debug($"Chain Status: {status.StatusInformation}"); } } if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Log.Debug("TLS Remote Certificate Name Mismatch"); } if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Log.Debug("TLS Remote Certificate Not Available"); } return(false); }
public static bool ValidationCallback(HttpRequestMessage req, X509Certificate2 cert, X509Chain chain, SslPolicyErrors errors) { if (errors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { return(false); } if (errors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { return(false); } return(new X509Chain() { ChainPolicy = policy }.Build(cert)); }
public override bool ValidateServerCertificate(Uri uri, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { var now = DateTime.Now; if (_verifyHostname) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' does not match with host name '{uri.Host}'."); return(false); } } if (!CertHelper.CheckValidity(certificate, now)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' is not valid at the time of validity check '{now}'."); return(false); } for (var i = chain.ChainElements.Count - 1; i >= 0; i--) { if (CertHelper.FindCertificate(_trustedCertificates, chain.ChainElements[i].Certificate)) { Logger?.Info($"{GetType().Name}: Trusting {uri} with certificate '{certificate.Subject}'."); return(true); } } Logger?.Error(null, $"{GetType().Name}: Unable to locate a certificate for {uri} in provided trusted certificates."); return(false); }
private bool CertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } logger.LogError( "SMTP Server's certificate {CertificateSubject} issued by {CertificateIssuer} with thumbprint {CertificateThumbprint} and expiration date {CertificateExpirationDate} is considered invalid with {SslPolicyErrors} policy errors", certificate.Subject, certificate.Issuer, certificate.GetCertHashString(), certificate.GetExpirationDateString(), sslPolicyErrors); if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) && chain?.ChainStatus != null) { foreach (var chainStatus in chain.ChainStatus) { logger.LogError("Status: {Status} - {StatusInformation}", chainStatus.Status, chainStatus.StatusInformation); } } return(false); }
public virtual void ValidateHttpEndpoint(Models.Endpoint endpoint, X509Chain?chain, SslPolicyErrors sslPolicyErrors) { if (endpoint.GetHttpIgnoreTlsCerts()) { return; // Everything is OK } chain ??= new X509Chain(); var customCertPem = endpoint.GetHttpCustomTlsCert(); if (!string.IsNullOrWhiteSpace(customCertPem)) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { // Unacceptable errors are present; throw throw GetAppropriateException(false, chain, sslPolicyErrors, false); } foreach (var el in chain.ChainElements) { if (el.ChainElementStatus != null && el.ChainElementStatus.Length > 0) { foreach (var status in el.ChainElementStatus) { if (status.Status == X509ChainStatusFlags.NoError) { continue; } if (status.Status.HasFlag(X509ChainStatusFlags.Cyclic) || status.Status.HasFlag(X509ChainStatusFlags.ExplicitDistrust) || status.Status.HasFlag(X509ChainStatusFlags.NotSignatureValid) || status.Status.HasFlag(X509ChainStatusFlags.Revoked)) { // Unacceptable errors are present; throw throw GetAppropriateException(false, chain, sslPolicyErrors, false); } } } } // Everything looks good so far; load the custom cert var cert = LoadCert(false, customCertPem); foreach (var el in chain.ChainElements) { if (el.Certificate.Thumbprint.Equals(cert.Thumbprint)) { // Got a matching cert; everything is okay return; } } throw GetAppropriateException(false, chain, sslPolicyErrors, true); } else { // Use existing status information if (sslPolicyErrors == SslPolicyErrors.None) { return; // OK } throw GetAppropriateException(false, chain, sslPolicyErrors, false); } }
public override bool ValidateServerCertificate(Uri uri, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { var now = DateTime.Now; if (_verifyHostname) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' does not match with host name '{uri.Host}'."); return(false); } } if (!CertHelper.CheckValidity(certificate, now)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' is not valid at the time of validity check '{now}'."); return(false); } if (CertHelper.FindCertificate(_location, StoreName.TrustedPeople, certificate)) { if (CertHelper.FindCertificate(_location, StoreName.Disallowed, certificate)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' is found in '{_location}\\Disallowed` store."); return(false); } Logger?.Info($"{GetType().Name}: Trusting {uri} with certificate '{certificate.Subject}'."); return(true); } Logger?.Error(null, $"{GetType().Name}: Unable to locate a certificate for {uri} in '{_location}\\TrustedPeople` store."); return(false); }
private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, NetworkConfig clientNetworkConfig) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } var validation = true; if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { var isValidateChain = clientNetworkConfig.SslConfig.ValidateCertificateChain; if (isValidateChain) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } else { Logger.Info("SSL Configured to ignore Certificate chain validation. Ignoring:"); } foreach (var status in chain.ChainStatus) { Logger.Info("Certificate chain status:" + status.StatusInformation); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { var isValidateName = clientNetworkConfig.SslConfig.ValidateCertificateName; if (isValidateName) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } else { Logger.Info("Certificate name mismatched but client is configured to ignore Certificate name validation."); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } return(validation); }
/// <summary> /// Validates that terminal webservers are using a certificate that was signed /// by the BlockChyp root CA. /// </summary> /// <param name="request">The HTTP request.</param> /// <param name="cert">The server certificate served with the request.</param> /// <param name="chain">The certificate chain served with the request.</param> /// <param name="sslPolicyErrors">SSL verification failures.</param> public static bool ValidateTerminalCertificate( object request, X509Certificate2 cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { // Terminals should always serve a certificate. return(false); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { // First, ignore that the root CA is unknown. We'll check that // the root of the chain matches our root CA at the end. chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.ChainPolicy.ExtraStore.Add(blockChypRootCertificate.Value); // Validate that the chain can be built. if (!chain.Build(cert) || chain.ChainElements.Count == 0) { return(false); } // Now we know that the chain is valid, so we only have to // prove that the root of the chain is our root CA. if (chain.ChainElements[chain.ChainElements.Count - 1].Certificate.Thumbprint != blockChypRootCertificate.Value.Thumbprint) { return(false); } } // Terminals on the local network use a static common name. if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { return(cert.GetNameInfo(X509NameType.SimpleName, false) == TerminalCommonName); } return(false); }
static bool ValidateMyCert(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslErr) { bool returnValue = true; if (!splunkAddress.ToLower().StartsWith("https")) { return(true); } if (sslErr.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { myLogger.LogError($"There are errors in the remote certificate chain."); returnValue = false; } if (sslErr.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { myLogger.LogError($"The remote certificate is not available."); returnValue = false; } var caCertCommonName = getEnvironmentVariable("CA_CERT_COMMONNAME", "SplunkServerDefaultCert"); var subjectName = chain.ChainElements[0].Certificate.SubjectName.Name; //subjectName = "O=SplunkUser, CN=SplunkServerDefaultCert" string[] subjectNameParts = subjectName.Split(','); string cn = ""; foreach (var split in subjectNameParts) { if (split.Trim().StartsWith("CN")) { cn = split.Split("=")[1]; } } myLogger.LogTrace($"commonName = {cn}"); if (cn != caCertCommonName) { returnValue = false; } return(returnValue); }
public virtual void ValidateLdap(X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (_settingsService.Ldap_SslIgnoreValidity) { return; // Everything is OK } if (!string.IsNullOrWhiteSpace(_settingsService.Ldap_SslValidCert)) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { // Unacceptable errors are present; throw throw GetAppropriateException(true, chain, sslPolicyErrors, false); } foreach (var el in chain.ChainElements) { if (el.ChainElementStatus != null && el.ChainElementStatus.Length > 0) { foreach (var status in el.ChainElementStatus) { if (status.Status == X509ChainStatusFlags.NoError) { continue; } if (status.Status.HasFlag(X509ChainStatusFlags.Cyclic) || status.Status.HasFlag(X509ChainStatusFlags.ExplicitDistrust) || status.Status.HasFlag(X509ChainStatusFlags.NotSignatureValid) || status.Status.HasFlag(X509ChainStatusFlags.Revoked)) { // Unacceptable errors are present; throw throw GetAppropriateException(true, chain, sslPolicyErrors, false); } } } } // Everything looks good so far; load the custom cert var cert = LoadCert(true, _settingsService.Ldap_SslValidCert); foreach (var el in chain.ChainElements) { if (el.Certificate.Thumbprint.Equals(cert.Thumbprint)) { // Got a matching cert; everything is okay return; } } throw GetAppropriateException(true, chain, sslPolicyErrors, true); } else { // Use existing status information if (sslPolicyErrors == SslPolicyErrors.None) { return; // OK } throw GetAppropriateException(true, chain, sslPolicyErrors, false); } }
/// <summary> /// (internal for tests only) /// Validates a certificate. /// </summary> internal bool ValidateCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors policyErrors) { if (policyErrors == SslPolicyErrors.None) { return(true); } var validation = true; if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { if (_options.ValidateCertificateChain) { _logger.LogWarning($"SSL certificate error: {policyErrors} (chain status: " + $" {string.Join(", ", chain.ChainStatus.Select(x => x.StatusInformation))})."); validation = false; } else { _logger.LogInformation("SSL certificate errors (chain validation) ignored by client configuration."); } } if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { if (_options.ValidateCertificateName) { _logger.LogWarning($"SSL certificate error: {policyErrors}."); validation = false; } else { _logger.LogInformation("SSL certificate errors (name validation) ignored by client configuration."); } } if (policyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { _logger.LogWarning($"SSL certificate error: {policyErrors}."); validation = false; } return(validation); }
private bool ValidateCertificate(object s, X509Certificate cert, X509Chain chain, SslPolicyErrors error) { if (error.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) || error.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { // This is for local deployments. DevFabric generates its own certificate for load-balancing / port forwarding. const string AzureDevFabricCertificateSubject = "CN=127.0.0.1, O=TESTING ONLY, OU=Windows Azure DevFabric"; if (cert.Subject == AzureDevFabricCertificateSubject) { return(true); } var cert2 = new X509Certificate2(cert); if (this._trustedRestSubject == cert2.Subject && cert2.Thumbprint == this._trustedRestCertificateHash) { return(true); } } return(error == SslPolicyErrors.None); }
private Exception GetAppropriateException(bool ldap, X509Chain chain, SslPolicyErrors sslPolicyErrors, bool customCertMismatch) { var stb = new StringBuilder(); if (customCertMismatch) { stb.Append("\r\n✯ The certificate chain does not contain the custom certificate:"); foreach (var el in chain.ChainElements) { stb.Append($"\r\n → Subject=\"{el.Certificate.Subject}\" (Thumbprint={el.Certificate.Thumbprint}) "); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { stb.Append("\r\n✯ The certificate name is mismatched"); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { stb.Append("\r\n✯ The certificate is unavailable"); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) && !customCertMismatch) { stb.Append("\r\n✯ The certificate chain has errors:"); foreach (var el in chain.ChainElements) { stb.Append($"\r\n → Subject=\"{el.Certificate.Subject}\" (Thumbprint={el.Certificate.Thumbprint}) "); if (el.ChainElementStatus == null || el.ChainElementStatus.Length == 0) { stb.Append("[OK]"); } else { foreach (var status in el.ChainElementStatus) { stb.Append($"[{status.StatusInformation.Trim()}]"); } } } } return(SslException.CreateException(ldap, stb.ToString().Trim())); }
private bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslpolicyerrors ) { if (sslpolicyerrors.HasFlag(SslPolicyErrors.None)) { return(true); } if ( sslpolicyerrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) && sslpolicyerrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable) && allowSelfSigned) { return(true); } return(false); }
private bool CertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (!(IPAddress.IsLoopback(IpAddress))) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) || certificate.GetCertHashString() != CertificateHash) { return(false); } } return(true); }
public static bool ValidateClient(object sender, X509Certificate remoteCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { // If we are not requiring a client certificate remote certificate will be null if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable) && _clientCertRequired) { Console.WriteLine("Client Certificate Was Not Provided"); return(false); } Console.WriteLine($"SSL Policy Errors: {sslPolicyErrors}"); return(true); }
private bool ValidateServerCertificate(object sender, X509Certificate?certificate, X509Chain?chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { return(false); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) && _verifyCertificateName) { return(false); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors) && _verifyCertificateAuthority) { if (_trustedCertificateAuthority is null || chain is null || certificate is null) { return(false); } chain.ChainPolicy.ExtraStore.Add(_trustedCertificateAuthority); _ = chain.Build((X509Certificate2)certificate); for (var i = 0; i < chain.ChainElements.Count; i++) { if (chain.ChainElements[i].Certificate.Thumbprint == _trustedCertificateAuthority.Thumbprint) { return(true); } } return(false); } return(true); }
static bool CustomSSLCertificateValidation(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error) { #if DEBUG //IMPORTANT - This should not be used in production code. //The purpose of this is to allow the use of a mismatching SSL certificate, //which is not expected to be required in third party or production. //This setting may create a "Man in the Middle" vulnerability. return(false == error.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)); #else //This is the safe version of the above code. return(error == SslPolicyErrors.None); #endif }
public override bool ValidateServerCertificate(Uri uri, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (_verifyHostname) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Logger?.Error(null, $"{GetType().Name}: Certificate '{certificate.Subject}' does not match with host name '{uri.Host}'."); return(false); } } Logger?.Info($"{GetType().Name}: Trusting {uri} with provided certificate '{certificate.Subject}'."); return(true); }
/// <summary> /// Called by the US.OpenServer.Server and the US.OpenServer.Client.Client /// to verify the remote Secure Sockets Layer (SSL) certificate used for /// authentication. /// </summary> /// <param name="sender">An object that contains state information for this validation.</param> /// <param name="certificate">The certificate used to authenticate the remote party.</param> /// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param> /// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param> /// <returns>True if the specified certificate is accepted for authentication, otherwise False.</returns> public bool TlsCertificateValidationCallback( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Log(Level.Error, "[TLS] Remote certificate name mismatch."); return(false); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { if (TlsConfiguration.RequireRemoteCertificate) { Log(Level.Error, "[TLS] Remote certificate not available."); return(false); } else { Log(Level.Debug, "[TLS] Remote certificate not available."); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { if (!TlsConfiguration.AllowCertificateChainErrors) { Log(Level.Error, "[TLS] Remote certificate contains chain errors."); return(false); } else { Log(Level.Debug, "[TLS] Remote certificate contains chain errors."); } } Log(Level.Info, "[TLS] Certificate validated."); return(true); }
private bool ServerCheckValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { return(true); } if (settings.SslMode == MySqlSslMode.Preferred || settings.SslMode == MySqlSslMode.Required) { //Tolerate all certificate errors. return(true); } if ((settings.SslMode == MySqlSslMode.VerifyCA || settings.SslMode == MySqlSslMode.VerifyFull) && settings.CACertificateFile != null) { var result = chain.ChainStatus.Length == 1 && chain.ChainStatus[0].Status == X509ChainStatusFlags.UntrustedRoot && chain.ChainElements[chain.ChainElements.Count - 1].Certificate.Thumbprint.Equals(new X509Certificate2(settings.CACertificateFile).Thumbprint); if (settings.SslMode == MySqlSslMode.VerifyCA) { return(result && !sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)); } if (settings.SslMode == MySqlSslMode.VerifyFull) { return(result && !sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) && !sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)); } } return(false); }
private bool ValidateCertificateHttpHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (_cancellationToken.IsCancellationRequested) { return(false); } IsVerified = sslPolicyErrors == SslPolicyErrors.None; if (IsVerified) { return(true); } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Log.WriteLine(LogVerbosity.Minimal, MessageCategory.Error, Resources.Error_NoBrokerCertificate); _console.WriteError(Resources.Error_NoBrokerCertificate.FormatInvariant(Name)); return(false); } lock (_verificationLock) { if (ConnectionInfo.IsUrlBased && ConnectionInfo.Uri.IsLoopback) { return(true); } if (_certificateValidationResult.HasValue) { return(_certificateValidationResult.Value); } Log.Write(LogVerbosity.Minimal, MessageCategory.General, Resources.Trace_SSLPolicyErrors.FormatInvariant(sslPolicyErrors)); var hashString = GetCertHashString(certificate.GetCertHash()); if (_certificateHash == null || !_certificateHash.EqualsOrdinal(hashString)) { Log.Write(LogVerbosity.Minimal, MessageCategory.Warning, Resources.Trace_UntrustedCertificate.FormatInvariant(certificate.Subject)); var message = Resources.CertificateSecurityWarning.FormatInvariant(ConnectionInfo.Uri.Host); _certificateValidationResult = _services.Security().ValidateX509Certificate(certificate, message); if (_certificateValidationResult.Value) { _certificateHash = hashString; } } return(_certificateValidationResult ?? false); } }
private bool ValidateCertificateHttpHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (_cancellationToken.IsCancellationRequested) { return false; } IsVerified = sslPolicyErrors == SslPolicyErrors.None; if (IsVerified) { return true; } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Log.WriteAsync(LogVerbosity.Minimal, MessageCategory.Error, Resources.Error_NoBrokerCertificate).DoNotWait(); _console.Write(Resources.Error_NoBrokerCertificate.FormatInvariant(Name)); return false; } if (_services.MainThread.ThreadId == Thread.CurrentThread.ManagedThreadId) { // Prevent potential deadlock if handler enters on background thread, then re-enters on main thread // before ValidateX509CertificateAsync is able to transition to the UI thread. // At worst the connection fails return _certificateValidationResult.HasValue ? _certificateValidationResult.Value : false; } lock (_verificationLock) { if (_certificateValidationResult.HasValue) { return _certificateValidationResult.Value; } var hashString = certificate.GetCertHashString(); if (_certificateHash == null || !_certificateHash.EqualsOrdinal(hashString)) { Log.WriteAsync(LogVerbosity.Minimal, MessageCategory.Warning, Resources.Trace_UntrustedCertificate.FormatInvariant(certificate.Subject)).DoNotWait(); var message = Resources.CertificateSecurityWarning.FormatInvariant(Uri.Host); var task = _services.Security.ValidateX509CertificateAsync(certificate, message, _cancellationToken); _services.Tasks.Wait(task, _cancellationToken); _certificateValidationResult = task.Result; if (_certificateValidationResult.Value) { _certificateHash = hashString; } } return _certificateValidationResult.HasValue ? _certificateValidationResult.Value : false; } }
private bool ValidateCertificateHttpHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { IsVerified = sslPolicyErrors == SslPolicyErrors.None; if (!IsVerified) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Log.WriteAsync(LogVerbosity.Minimal, MessageCategory.Error, Resources.Error_NoBrokerCertificate); _console.Write(Resources.Error_NoBrokerCertificate); } else { Log.WriteAsync(LogVerbosity.Minimal, MessageCategory.Warning, Resources.Trace_UntrustedCertificate.FormatInvariant(certificate.Subject)).DoNotWait(); var message = Resources.CertificateSecurityWarning.FormatInvariant(Uri.Host); return(_services.Security.ValidateX509CertificateAsync(certificate, message).GetAwaiter().GetResult()); } } return(IsVerified); }
/// <summary> /// SSl Cert Validation Callback /// </summary> /// <param name="requestMessage">Http request message.</param> /// <param name="caCert">Server certificate.</param> /// <param name="clientCertificate">Client certificate</param> /// <param name="chain">Chain</param> /// <param name="sslPolicyErrors">SSL policy errors</param> /// <returns>true if valid cert</returns> internal bool CertificateValidationCallBack( #pragma warning disable CA1801 // Unused by design HttpRequestMessage requestMessage, #pragma warning restore CA1801 // Restore the warning X509Certificate2 caCert, X509Certificate2 clientCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { // If the certificate is a valid, signed certificate, return true. if (sslPolicyErrors == SslPolicyErrors.None) { _logger.LogTrace("This is a valid signed certificate."); return(true); } _logger.LogTrace("Not a authority signed certificate."); _logger.LogTrace("Server Cert RAW: {0}{1}", Environment.NewLine, Convert.ToBase64String(caCert.RawData)); // When there is Remote Certificate Chain Error, verify the chain relation between the client and server certificates. if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { _logger.LogTrace("Building certificate chain."); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // add all your extra certificate chain chain.ChainPolicy.ExtraStore.Add(caCert); chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; _logger.LogTrace("Client Cert RAW: {0}{1}", Environment.NewLine, Convert.ToBase64String(clientCertificate.RawData)); bool isValid = chain.Build(clientCertificate); _logger.LogTrace("Is Chain successfully built: {0}", isValid); return(isValid); } // In all other cases, return false. _logger.LogError("SSL Certificate validation failed."); return(false); }
private bool MqttClient_CertificateValidationCallback(X509Certificate arg1, X509Chain arg2, SslPolicyErrors arg3, IMqttClientOptions arg4) { try { if (arg3 == SslPolicyErrors.None) { return(true); } if (arg3.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { arg2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; arg2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag; arg2.ChainPolicy.ExtraStore.Add(_serverRootCa); arg2.Build((X509Certificate2)_serverRootCa); var res = arg2.ChainElements.Cast <X509ChainElement>().Any(a => a.Certificate.Thumbprint == _serverRootCa.Thumbprint); return(res); } } catch { } return(false); }
/// <summary> /// Called by the US.OpenServer.Server and the US.OpenServer.Client.Client /// to verify the remote Secure Sockets Layer (SSL) certificate used for /// authentication. /// </summary> /// <param name="sender">An object that contains state information for this validation.</param> /// <param name="certificate">The certificate used to authenticate the remote party.</param> /// <param name="chain">The chain of certificate authorities associated with the remote certificate.</param> /// <param name="sslPolicyErrors">One or more errors associated with the remote certificate.</param> /// <returns>True if the specified certificate is accepted for authentication, otherwise False.</returns> public bool TlsCertificateValidationCallback( object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { Log(Level.Error, "[TLS] Remote certificate name mismatch."); return false; } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { if (TlsConfiguration.RequireRemoteCertificate) { Log(Level.Error, "[TLS] Remote certificate not available."); return false; } else { Log(Level.Debug, "[TLS] Remote certificate not available."); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { if (!TlsConfiguration.AllowCertificateChainErrors) { Log(Level.Error, "[TLS] Remote certificate contains chain errors."); return false; } else { Log(Level.Debug, "[TLS] Remote certificate contains chain errors."); } } Log(Level.Info, "[TLS] Certificate validated."); return true; }
private bool CheckServerCertificate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) { var serverName = (sender is string) ? sender : ((WebRequest)sender).RequestUri.Host; _strategy.LogAction("verifying the server certificate for requested server '{0}'", serverName); if (sslPolicyErrors != SslPolicyErrors.None) { var reasons = new List<string>(); if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) reasons.Add("the certificate was not returned"); if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) reasons.Add(string.Format("the certificate name ({0}) does not match the requested server name", cert.Subject)); if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { reasons.Add(string.Format("the certificate chain has errors ({0})", string.Join("; ", chain.ChainStatus.Select(x => x.StatusInformation)))); } _strategy.LogStatus("The server is not trusted: {0}.", string.Join("; ", reasons)); return false; } _strategy.LogAction("verifying that actual server '{0}' was trusted", cert.Subject); var m = Regex.Match(cert.Subject, "O=(?'orgid'[^,]+)"); if (!m.Success) { _strategy.LogStatus("could not find the organization ID in the certificate subject"); return false; } var g = m.Groups["orgid"]; if (g == null) { _strategy.LogStatus("could not find the organization ID in the certificate subject (regex said it was there but didn't return it)"); return false; } var orgId = g.Value; /* TODO if (!_info.TrustedOrgIds.Contains(orgId)) { _environment.LogStatus("organization '{0}' is not trusted", orgId); return false; } */ _strategy.LogStatus("the server is trusted."); return true; }
bool ValidateCertificate(object sender, X509Certificate clientCertificate, X509Chain chain, SslPolicyErrors sslpolicyerrors) { if (sslpolicyerrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) return false; return options.ClientCertificateValidator(new X509Certificate2(clientCertificate)) == CertificateValidationResult.Valid; }
private bool ValidateCertificate(object s, X509Certificate cert, X509Chain chain, SslPolicyErrors error) { if (error.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch) || error.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { // This is for local deployments. DevFabric generates its own certificate for load-balancing / port forwarding. const string AzureDevFabricCertificateSubject = "CN=127.0.0.1, O=TESTING ONLY, OU=Windows Azure DevFabric"; if (cert.Subject == AzureDevFabricCertificateSubject) { return true; } var cert2 = new X509Certificate2(cert); if (this._trustedRestSubject == cert2.Subject && cert2.Thumbprint == this._trustedRestCertificateHash) { return true; } } return error == SslPolicyErrors.None; }
private bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, ClientNetworkConfig clientNetworkConfig) { if (sslPolicyErrors == SslPolicyErrors.None) { return true; } var validation = true; if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors)) { var isValidateChain = clientNetworkConfig.GetSSLConfig().IsValidateCertificateChain(); if (isValidateChain) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } else { Logger.Info("SSL Configured to ignore Certificate chain validation. Ignoring:"); } foreach (var status in chain.ChainStatus) { Logger.Info("Certificate chain status:" + status.StatusInformation); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch)) { var isValidateName = clientNetworkConfig.GetSSLConfig().IsValidateCertificateName(); if (isValidateName) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } else { Logger.Info("Certificate name mismatched but client is configured to ignore Certificate name validation."); } } if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable)) { Logger.Warning("Certificate error:" + sslPolicyErrors); validation = false; } return validation; }