public async ValueTask InitializeAsync(CancellationToken cancel)
{
await _underlying.InitializeAsync(cancel).ConfigureAwait(false);
SslStream = new SslStream(new NetworkStream(_underlying.Socket !, false), false);
try
{
if (_incoming)
{
var options = new SslServerAuthenticationOptions();
options.ServerCertificate = _engine.TlsServerOptions.ServerCertificate;
options.ClientCertificateRequired = _engine.TlsServerOptions.RequireClientCertificate;
options.EnabledSslProtocols = _engine.TlsServerOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsServerOptions.ClientCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await SslStream.AuthenticateAsServerAsync(options, cancel).ConfigureAwait(false);
}
else
{
var options = new SslClientAuthenticationOptions();
options.TargetHost = _host;
options.ClientCertificates = _engine.TlsClientOptions.ClientCertificates;
options.EnabledSslProtocols = _engine.TlsClientOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsClientOptions.ServerCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.LocalCertificateSelectionCallback =
_engine.TlsClientOptions.ClientCertificateSelectionCallback ??
(options.ClientCertificates?.Count > 0 ?
CertificateSelectionCallback : (LocalCertificateSelectionCallback?)null);
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await SslStream.AuthenticateAsClientAsync(options, cancel).ConfigureAwait(false);
}
}
catch (IOException ex) when(ex.IsConnectionLost())
{
throw new ConnectionLostException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero), _connector);
}
catch (IOException ex)
{
throw new TransportException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero), _connector);
}
catch (AuthenticationException ex)
{
throw new TransportException(ex, RetryPolicy.OtherReplica, _connector);
}
if (_engine.SecurityTraceLevel >= 1)
{
_engine.TraceStream(SslStream, ToString());
}
// Use a buffered stream for writes. This ensures that small requests which are composed of multiple
// small buffers will be sent within a single SSL frame.
_writeStream = new BufferedStream(SslStream);
}
public async ValueTask InitializeAsync(CancellationToken cancel)
{
await _underlying.InitializeAsync(cancel).ConfigureAwait(false);
SslStream = new SslStream(new NetworkStream(_underlying.Socket !, false), false);
try
{
if (_incoming)
{
var options = new SslServerAuthenticationOptions();
options.ServerCertificate = _engine.TlsServerOptions.ServerCertificate;
options.ClientCertificateRequired = _engine.TlsServerOptions.RequireClientCertificate;
options.EnabledSslProtocols = _engine.TlsServerOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsServerOptions.ClientCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await SslStream.AuthenticateAsServerAsync(options, cancel).ConfigureAwait(false);
}
else
{
var options = new SslClientAuthenticationOptions();
options.TargetHost = _host;
options.ClientCertificates = _engine.TlsClientOptions.ClientCertificates;
options.EnabledSslProtocols = _engine.TlsClientOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsClientOptions.ServerCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.LocalCertificateSelectionCallback =
_engine.TlsClientOptions.ClientCertificateSelectionCallback ??
(options.ClientCertificates?.Count > 0 ? CertificateSelectionCallback : (LocalCertificateSelectionCallback?)null);
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await SslStream.AuthenticateAsClientAsync(options, cancel).ConfigureAwait(false);
}
}
catch (IOException ex) when(ex.IsConnectionLost())
{
throw new ConnectionLostException(ex);
}
catch (IOException ex)
{
throw new TransportException(ex);
}
catch (AuthenticationException ex)
{
throw new TransportException(ex);
}
string description = ToString();
if (!_engine.SslTrustManager.Verify(_incoming,
SslStream.RemoteCertificate as X509Certificate2,
_adapterName ?? "",
description))
{
var s = new StringBuilder();
s.Append(_incoming ? "incoming " : "outgoing");
s.Append("connection rejected by trust manager\n");
s.Append(description);
if (_engine.SecurityTraceLevel >= 1)
{
_communicator.Logger.Trace(_engine.SecurityTraceCategory, s.ToString());
}
throw new TransportException(s.ToString());
}
if (_engine.SecurityTraceLevel >= 1)
{
_engine.TraceStream(SslStream, description);
}
// Use a buffered stream for writes. This ensures that small requests which are composed of multiple
// small buffers will be sent within a single SSL frame.
_writeStream = new BufferedStream(SslStream);
}