public void TestTlsSuccessWithCert()
{
using (NATSServer srv = NATSServer.CreateWithConfig(Context.Server1.Port, "tls_verify.conf"))
{
Options opts = Context.GetTestOptions(Context.Server1.Port);
opts.Secure = true;
opts.TLSRemoteCertificationValidationCallback = verifyServerCert;
// .NET requires the private key and cert in the
// same file. 'client.pfx' is generated from:
//
// openssl pkcs12 -export -out client.pfx
// -inkey client-key.pem -in client-cert.pem
X509Certificate2 cert = new X509Certificate2(
UnitTestUtilities.GetFullCertificatePath("client.pfx"), "password");
opts.AddCertificate(cert);
using (IConnection c = Context.ConnectionFactory.CreateConnection(opts))
{
using (ISyncSubscription s = c.SubscribeSync("foo"))
{
c.Publish("foo", null);
c.Flush();
Msg m = s.NextMessage();
}
}
}
}
// A hack to avoid issues with our test self signed cert.
// We don't want to require the runner of the test to install the
// self signed CA, so we just manually compare the server cert
// with the what the gnatsd server should return to the client
// in our test.
//
// Getting here means SSL is working in the client.
//
private bool verifyServerCert(object sender,
X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
{
return(true);
}
X509Certificate serverCert = new X509Certificate(
UnitTestUtilities.GetFullCertificatePath("server-cert.pem"));
// UNSAFE hack for testing purposes.
#if NET452
var isOK = serverCert.GetRawCertDataString().Equals(certificate.GetRawCertDataString());
#else
var isOK = serverCert.Issuer.Equals(certificate.Issuer);
#endif
if (isOK)
{
return(true);
}
return(false);
}
public void TestTlsFailWithInvalidServerCert()
{
using (NATSServer srv = NATSServer.CreateWithConfig(Context.Server1.Port, "tls_verify.conf"))
{
Options opts = Context.GetTestOptions(Context.Server1.Port);
opts.Secure = true;
opts.TLSRemoteCertificationValidationCallback = verifyCertAlwaysFail;
// this will fail, because it's not complete - missing the private
// key.
opts.AddCertificate(UnitTestUtilities.GetFullCertificatePath("client-cert.pem"));
Assert.ThrowsAny <NATSException>(() => Context.ConnectionFactory.CreateConnection(opts));
}
}
public void TestTlsFailWithBadAuth()
{
using (NATSServer srv = NATSServer.CreateWithConfig(Context.Server1.Port, "tls_user.conf"))
{
Options opts = Context.GetTestOptions(Context.Server1.Port);
opts.Secure = true;
opts.Url = $"nats://*****:*****@localhost:{Context.Server1.Port}";
opts.TLSRemoteCertificationValidationCallback = verifyServerCert;
// this will fail, because it's not complete - missing the private
// key.
opts.AddCertificate(UnitTestUtilities.GetFullCertificatePath("client-cert.pem"));
Assert.ThrowsAny <NATSException>(() => Context.ConnectionFactory.CreateConnection(opts));
}
}
public void TestTlsFailWithBadAuth()
{
using (NATSServer srv = util.CreateServerWithConfig("tls_1222_user.conf"))
{
Options opts = util.DefaultTestOptions;
opts.Secure = true;
opts.Url = "nats://*****:*****@localhost:1222";
opts.TLSRemoteCertificationValidationCallback = verifyServerCert;
// this will fail, because it's not complete - missing the private
// key.
opts.AddCertificate(UnitTestUtilities.GetFullCertificatePath("client-cert.pem"));
Assert.ThrowsAny <NATSException>(() => new ConnectionFactory().CreateConnection(opts));
}
}