protected void InitializeClientContext( X509List certificates, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { // Initialize the context with specified TLS version sslContext = new SslContext(SslMethod.TLSv12_client_method, ConnectionEnd.Client, new[] { Protocols.Http2, Protocols.Http1 }); var options = sslContext.Options; // Remove support for protocols not specified in the enabledSslProtocols if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2)) { options |= SslOptions.SSL_OP_NO_SSLv2; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3)) { options |= SslOptions.SSL_OP_NO_SSLv3; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls)) { options |= SslOptions.SSL_OP_NO_TLSv1; } sslContext.Options = options; // Set the Local certificate selection callback sslContext.SetClientCertCallback(OnClientCertificate); // Set the enabled cipher list sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength)); // Set the callbacks for remote cert verification and local cert selection if (OnRemoteCertificate != null) { sslContext.SetVerify( VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate); } // Set the CA list into the store if (caCertificates != null) { var store = new X509Store(caCertificates); sslContext.SetCertificateStore(store); } // Set up the read/write bio's read_bio = BIO.MemoryBuffer(false); write_bio = BIO.MemoryBuffer(false); ssl = new Ssl(sslContext); sniCb = sniExt.ClientSniCb; sniExt.AttachSniExtensionClient(ssl.Handle, sslContext.Handle, sniCb); ssl.SetBIO(read_bio, write_bio); read_bio.SetClose(BIO.CloseOption.Close); write_bio.SetClose(BIO.CloseOption.Close); // Set the Ssl object into Client mode ssl.SetConnectState(); }
private void InitializeServerContext( X509Certificate serverCertificate, bool clientCertificateRequired, X509Chain caCerts, SslProtocols enabledSslProtocols, SslStrength sslStrength, bool checkCertificateRevocation) { if (serverCertificate == null) { throw new ArgumentNullException("serverCertificate", "Server certificate cannot be null"); } if (!serverCertificate.HasPrivateKey) { throw new ArgumentException("Server certificate must have a private key", "serverCertificate"); } // Initialize the context with specified TLS version sslContext = new SslContext(SslMethod.TLSv12_server_method, ConnectionEnd.Server, new[] { Protocols.Http2, Protocols.Http1 }); var options = sslContext.Options; // Remove support for protocols not specified in the enabledSslProtocols if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl2)) { options |= SslOptions.SSL_OP_NO_SSLv2; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Ssl3)) { options |= SslOptions.SSL_OP_NO_SSLv3; } if (!EnumExtensions.HasFlag(enabledSslProtocols, SslProtocols.Tls)) { options |= SslOptions.SSL_OP_NO_TLSv1; } // Set the workaround options sslContext.Options = options | SslOptions.SSL_OP_ALL; // Set the context mode sslContext.Mode = SslMode.SSL_MODE_AUTO_RETRY; // Set the client certificate verification callback if we are requiring client certs if (clientCertificateRequired) { sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER | VerifyMode.SSL_VERIFY_FAIL_IF_NO_PEER_CERT, OnRemoteCertificate); } else { sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null); } // Set the client certificate max verification depth sslContext.SetVerifyDepth(10); // Set the certificate store and ca list if (caCerts != null) { // Don't take ownership of the X509Store IntPtr. When we // SetCertificateStore, the context takes ownership of the store pointer. sslContext.SetCertificateStore(new X509Store(caCerts, false)); var name_stack = new Core.Stack <X509Name>(); foreach (var cert in caCerts) { var subject = cert.Subject; name_stack.Add(subject); } // Assign the stack to the context sslContext.CAList = name_stack; } // Set the cipher string sslContext.SetCipherList(SslCipher.MakeString(enabledSslProtocols, sslStrength)); // Set the certificate sslContext.UseCertificate(serverCertificate); // Set the private key sslContext.UsePrivateKey(serverCertificate.PrivateKey); // Set the session id context sslContext.SetSessionIdContext(Encoding.ASCII.GetBytes(AppDomain.CurrentDomain.FriendlyName)); }