public override async ValueTask InitializeAsync(CancellationToken cancel)
{
await _underlying.InitializeAsync(cancel).ConfigureAwait(false);
// This can only be created with a connected socket.
_sslStream = new SslStream(new NetworkStream(_underlying.Socket !, false), false);
try
{
if (_incoming)
{
var options = new SslServerAuthenticationOptions();
options.ServerCertificate = _engine.TlsServerOptions.ServerCertificate;
options.ClientCertificateRequired = _engine.TlsServerOptions.RequireClientCertificate;
options.EnabledSslProtocols = _engine.TlsServerOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsServerOptions.ClientCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await _sslStream.AuthenticateAsServerAsync(options, cancel).ConfigureAwait(false);
}
else
{
var options = new SslClientAuthenticationOptions();
options.TargetHost = _host;
options.ClientCertificates = _engine.TlsClientOptions.ClientCertificates;
options.EnabledSslProtocols = _engine.TlsClientOptions.EnabledSslProtocols !.Value;
options.RemoteCertificateValidationCallback =
_engine.TlsClientOptions.ServerCertificateValidationCallback ??
RemoteCertificateValidationCallback;
options.LocalCertificateSelectionCallback =
_engine.TlsClientOptions.ClientCertificateSelectionCallback ??
(options.ClientCertificates?.Count > 0 ?
CertificateSelectionCallback : (LocalCertificateSelectionCallback?)null);
options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
await _sslStream.AuthenticateAsClientAsync(options, cancel).ConfigureAwait(false);
}
}
catch (IOException ex) when(ex.IsConnectionLost())
{
throw new ConnectionLostException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero), _connector);
}
catch (IOException ex)
{
throw new TransportException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero), _connector);
}
catch (AuthenticationException ex)
{
throw new TransportException(ex, RetryPolicy.OtherReplica, _connector);
}
if (_engine.SecurityTraceLevel >= 1)
{
_engine.TraceStream(_sslStream, ToString());
}
// Use a buffered stream for writes. This ensures that small requests which are composed of multiple
// small buffers will be sent within a single SSL frame.
_writeStream = new BufferedStream(_sslStream);
}
public async Task SslStream_UntrustedCaWithCustomCallback_OK()
{
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = "localhost"
};
clientOptions.RemoteCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) =>
{
chain.ChainPolicy.CustomTrustStore.Add(_serverChain[_serverChain.Count - 1]);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
bool result = chain.Build((X509Certificate2)certificate);
Assert.True(result);
return(result);
};
var serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificateContext = SslStreamCertificateContext.Create(_serverCert, _serverChain);
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (SslStream client = new SslStream(clientStream))
using (SslStream server = new SslStream(serverStream))
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
public static Func <Uri, Task <T> > CreateRemoteStream <T>(string host, int port, string sni, Func <Socket, SslStream, T> func, SslProtocols sslProtocols = SslProtocols.None)
{
return(async(uri) =>
{
Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
await socket.ConnectAsync(host, port).ConfigureAwait(false);
SslStream sslStream = new SslStream(new NetworkStream(socket, true), false);
var info = new SslClientAuthenticationOptions()
{
RemoteCertificateValidationCallback = (a, b, c, d) => true,
EnabledSslProtocols = sslProtocols,
TargetHost = sni
};
await sslStream.AuthenticateAsClientAsync(info, default).ConfigureAwait(false);
return func(socket, sslStream);
});
}
public async Task SslStream_UntrustedCaWithCustomCallback_Throws()
{
var options = new SslClientAuthenticationOptions()
{
TargetHost = "localhost"
};
options.RemoteCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) =>
{
chain.ChainPolicy.ExtraStore.AddRange(_serverChain);
chain.ChainPolicy.CustomTrustStore.Add(_serverChain[_serverChain.Count - 1]);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
// This should work and we should be able to trust the chain.
Assert.True(chain.Build((X509Certificate2)certificate));
// Reject it in custom callback to simulate for example pinning.
return(false);
};
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (SslStream client = new SslStream(clientStream))
using (SslStream server = new SslStream(serverStream))
{
Task t1 = client.AuthenticateAsClientAsync(options, default);
Task t2 = server.AuthenticateAsServerAsync(_serverCert);
await Assert.ThrowsAsync <AuthenticationException>(() => t1);
// Server side should finish since we run custom callback after handshake is done.
await t2;
}
}
/// <summary>Initializes the pool.</summary>
/// <param name="maxConnections">The maximum number of connections allowed to be associated with the pool at any given time.</param>
///
public HttpConnectionPool(HttpConnectionPoolManager poolManager, string host, int port, string sslHostName, Uri proxyUri, int maxConnections)
{
Debug.Assert(proxyUri == null ?
host != null && port != 0 : // direct http or https connection
(sslHostName == null ?
host == null && port == 0 : // proxy connection
host != null && port != 0)); // SSL proxy tunnel
_poolManager = poolManager;
_host = host;
_port = port;
_proxyUri = proxyUri;
_maxConnections = maxConnections;
if (sslHostName != null)
{
// Precalculate cached SSL options to use for all connections.
_sslOptions = _poolManager.Settings._sslOptions?.ShallowClone() ?? new SslClientAuthenticationOptions();
_sslOptions.ApplicationProtocols = null; // explicitly ignore any ApplicationProtocols set
_sslOptions.TargetHost = sslHostName; // always use the key's name rather than whatever was specified
}
if (_host != null)
{
// Precalculate ASCII bytes for header name
// Note that if _host is null, this is a (non-tunneled) proxy connection, and we can't cache the hostname.
// CONSIDER: Cache more than just host name -- port, header name, etc
// Note the IDN hostname should always be ASCII, since it's already been IDNA encoded.
_idnHostAsciiBytes = Encoding.ASCII.GetBytes(_host);
Debug.Assert(Encoding.ASCII.GetString(_idnHostAsciiBytes) == _host);
}
}
public async Task SslStream_Http2_Alpn_Success(Uri server)
{
using (TcpClient client = new TcpClient())
{
try
{
await client.ConnectAsync(server.Host, server.Port);
using (SslStream clientStream = new SslStream(client.GetStream(), leaveInnerStreamOpen: false))
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions
{
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http2, SslApplicationProtocol.Http11
},
TargetHost = server.Host
};
await clientStream.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Assert.Equal("h2", clientStream.NegotiatedApplicationProtocol.ToString());
}
}
catch (Exception e)
{
// Failures to connect do not cause test failure.
_output.WriteLine("Unable to connect: {0}", e);
}
}
}
public async Task ServerAsyncAuthenticate_AsyncOptions_Success()
{
var state = new object();
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = _serverCertificate
};
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, false)
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(
(stream, clientHelloInfo, userState, cancellationToken) =>
{
Assert.Equal(server, stream);
Assert.Equal(clientOptions.TargetHost, clientHelloInfo.ServerName);
Assert.True(object.ReferenceEquals(state, userState));
return(new ValueTask <SslServerAuthenticationOptions>(OptionsTask(serverOptions)));
},
state, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
public async Task ServerAsyncAuthenticate_SniSetVersion_Success(SslProtocols version)
{
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = _serverCertificate, EnabledSslProtocols = version
};
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, forIssuer: false), EnabledSslProtocols = SslProtocols.Tls11 | SslProtocols.Tls12
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(
(stream, clientHelloInfo, userState, cancellationToken) =>
{
Assert.Equal(server, stream);
Assert.Equal(clientOptions.TargetHost, clientHelloInfo.ServerName);
return(new ValueTask <SslServerAuthenticationOptions>(serverOptions));
},
null, CancellationToken.None);
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
// Verify that the SNI callback can impact version.
Assert.Equal(version, client.SslProtocol);
}
}
public void SslStream_StreamToStream_Alpn_NonMatchingProtocols_Fail()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false))
using (var server = new SslStream(serverStream, false))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions
{
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http11
},
RemoteCertificateValidationCallback = AllowAnyServerCertificate,
TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false),
};
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions
{
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http2
},
ServerCertificate = certificate,
};
Task t1 = Assert.ThrowsAsync <AuthenticationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <AuthenticationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
Assert.True(Task.WaitAll(new[] { t1, t2 }, TestConfiguration.PassingTestTimeoutMilliseconds));
}
}
public void SslStream_StreamToStream_Alpn_Success(List <SslApplicationProtocol> clientProtocols, List <SslApplicationProtocol> serverProtocols, SslApplicationProtocol expected)
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false))
using (var server = new SslStream(serverStream, false))
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions
{
ApplicationProtocols = clientProtocols,
};
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions
{
ApplicationProtocols = serverProtocols,
};
Assert.True(DoHandshakeWithOptions(client, server, clientOptions, serverOptions));
Assert.Equal(expected, client.NegotiatedApplicationProtocol);
Assert.Equal(expected, server.NegotiatedApplicationProtocol);
}
}
private static SslClientAuthenticationOptions ConstructSslOptions(HttpConnectionPoolManager poolManager, string sslHostName)
{
Debug.Assert(sslHostName != null);
SslClientAuthenticationOptions sslOptions = poolManager.Settings._sslOptions?.ShallowClone() ?? new SslClientAuthenticationOptions();
sslOptions.ApplicationProtocols = null; // explicitly ignore any ApplicationProtocols set
sslOptions.TargetHost = sslHostName; // always use the key's name rather than whatever was specified
// Windows 7 and Windows 2008 R2 support TLS 1.1 and 1.2, but for legacy reasons by default those protocols
// are not enabled when a developer elects to use the system default. However, in .NET Core 2.0 and earlier,
// HttpClientHandler would enable them, due to being a wrapper for WinHTTP, which enabled them. Both for
// compatibility and because we prefer those higher protocols whenever possible, SocketsHttpHandler also
// pretends they're part of the default when running on Win7/2008R2.
if (s_isWindows7Or2008R2 && sslOptions.EnabledSslProtocols == SslProtocols.None)
{
if (NetEventSource.IsEnabled)
{
NetEventSource.Info(poolManager, $"Win7OrWin2K8R2 platform, Changing default TLS protocols to {SecurityProtocol.DefaultSecurityProtocols}");
}
sslOptions.EnabledSslProtocols = SecurityProtocol.DefaultSecurityProtocols;
}
return(sslOptions);
}
public static async ValueTask <SslStream> EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Stream stream, CancellationToken cancellationToken)
{
// If there's a cert validation callback, and if it came from HttpClientHandler,
// wrap the original delegate in order to change the sender to be the request message (expected by HttpClientHandler's delegate).
RemoteCertificateValidationCallback callback = sslOptions.RemoteCertificateValidationCallback;
if (callback != null && callback.Target is CertificateCallbackMapper mapper)
{
sslOptions = sslOptions.ShallowClone(); // Clone as we're about to mutate it and don't want to affect the cached copy
Func <HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool> localFromHttpClientHandler = mapper.FromHttpClientHandler;
HttpRequestMessage localRequest = request;
sslOptions.RemoteCertificateValidationCallback = (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
localFromHttpClientHandler(localRequest, certificate as X509Certificate2, chain, sslPolicyErrors);
}
// Create the SslStream, authenticate, and return it.
var sslStream = new SslStream(stream);
try
{
await sslStream.AuthenticateAsClientAsync(sslOptions, cancellationToken).ConfigureAwait(false);
}
catch (Exception e)
{
sslStream.Dispose();
throw new HttpRequestException(SR.net_http_ssl_connection_failed, e);
}
return(sslStream);
}
public void SslStream_StreamToStream_DuplicateOptions_Throws()
{
RemoteCertificateValidationCallback rCallback = (sender, certificate, chain, errors) => { return(true); };
LocalCertificateSelectionCallback lCallback = (sender, host, localCertificates, remoteCertificate, issuers) => { return(null); };
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, false))
using (var serverStream = new VirtualNetworkStream(network, true))
using (var client = new SslStream(clientStream, false, rCallback, lCallback, EncryptionPolicy.RequireEncryption))
using (var server = new SslStream(serverStream, false, rCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
serverOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
Task t1 = Assert.ThrowsAsync <InvalidOperationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <InvalidOperationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
Assert.True(Task.WaitAll(new[] { t1, t2 }, TestConfiguration.PassingTestTimeoutMilliseconds));
}
}
public async Task ServerAsyncAuthenticate_FailingOptionCallback_Throws(bool useAsync)
{
var serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = _serverCertificate
};
var clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, false)
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
Task t1 = client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Task t2 = server.AuthenticateAsServerAsync(
(stream, clientHelloInfo, userState, cancellationToken) =>
{
if (useAsync)
{
return(new ValueTask <SslServerAuthenticationOptions>(FailedTask()));
}
throw new InvalidOperationException("foo");
},
null, CancellationToken.None);
await Assert.ThrowsAsync <InvalidOperationException>(() => t2);
}
}
public void SslStream_StreamToStream_ServerCancellation_Throws()
{
VirtualNetwork network = new VirtualNetwork();
using (var clientStream = new VirtualNetworkStream(network, isServer: false))
using (var serverStream = new VirtualNetworkStream(network, isServer: true))
using (var client = new SslStream(clientStream))
using (var server = new SslStream(serverStream))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
CancellationTokenSource cts = new CancellationTokenSource();
cts.Cancel();
Task clientTask = Assert.ThrowsAsync <TimeoutException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task serverTask = Assert.ThrowsAnyAsync <OperationCanceledException>(() => server.AuthenticateAsServerAsync(serverOptions, cts.Token));
Assert.True(Task.WaitAll(new[] { clientTask, serverTask }, TestConfiguration.PassingTestTimeoutMilliseconds));
}
}
public async Task ListenOptionsProtolsCanBeSetAfterUseHttps(HttpProtocols httpProtocols)
{
void ConfigureListenOptions(ListenOptions listenOptions)
{
listenOptions.UseHttps(_x509Certificate2);
listenOptions.Protocols = httpProtocols;
}
await using var server = new TestServer(context => Task.CompletedTask, new TestServiceContext(LoggerFactory), ConfigureListenOptions);
using var connection = server.CreateConnection();
var sslOptions = new SslClientAuthenticationOptions
{
TargetHost = "localhost",
EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11,
ApplicationProtocols = new List <SslApplicationProtocol> {
SslApplicationProtocol.Http11, SslApplicationProtocol.Http2
},
};
using var stream = OpenSslStream(connection.Stream);
await stream.AuthenticateAsClientAsync(sslOptions);
Assert.Equal(
httpProtocols.HasFlag(HttpProtocols.Http2) ?
SslApplicationProtocol.Http2 :
SslApplicationProtocol.Http11,
stream.NegotiatedApplicationProtocol);
}
public async Task SslStream_StreamToStream_DuplicateOptions_Throws()
{
RemoteCertificateValidationCallback rCallback = (sender, certificate, chain, errors) => { return(true); };
LocalCertificateSelectionCallback lCallback = (sender, host, localCertificates, remoteCertificate, issuers) => { return(null); };
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (var client = new SslStream(clientStream, false, rCallback, lCallback, EncryptionPolicy.RequireEncryption))
using (var server = new SslStream(serverStream, false, rCallback))
using (X509Certificate2 certificate = Configuration.Certificates.GetServerCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions();
clientOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
clientOptions.TargetHost = certificate.GetNameInfo(X509NameType.SimpleName, false);
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = certificate;
serverOptions.RemoteCertificateValidationCallback = AllowAnyServerCertificate;
Task t1 = Assert.ThrowsAsync <InvalidOperationException>(() => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None));
Task t2 = Assert.ThrowsAsync <InvalidOperationException>(() => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None));
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(t1, t2);
}
}
[OuterLoop] // Test hits external azure server.
public async Task SslStream_AllowRenegotiation_False_Throws()
{
Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
await s.ConnectAsync(Configuration.Security.TlsRenegotiationServer, 443);
using (NetworkStream ns = new NetworkStream(s))
using (SslStream ssl = new SslStream(ns, true))
{
X509CertificateCollection certBundle = new X509CertificateCollection();
certBundle.Add(Configuration.Certificates.GetClientCertificate());
SslClientAuthenticationOptions options = new SslClientAuthenticationOptions
{
TargetHost = Configuration.Security.TlsRenegotiationServer,
ClientCertificates = certBundle,
EnabledSslProtocols = SslProtocols.Tls12,
CertificateRevocationCheckMode = X509RevocationMode.NoCheck,
AllowRenegotiation = false
};
// Perform handshake to establish secure connection.
await ssl.AuthenticateAsClientAsync(options, CancellationToken.None);
Assert.True(ssl.IsAuthenticated);
Assert.True(ssl.IsEncrypted);
// Issue request that triggers regotiation from server.
byte[] message = Encoding.UTF8.GetBytes("GET /EchoClientCertificate.ashx HTTP/1.1\r\nHost: corefx-net-tls.azurewebsites.net\r\n\r\n");
await ssl.WriteAsync(message, 0, message.Length);
// Initiate Read operation, that results in starting renegotiation as per server response to the above request.
// This will throw IOException, since renegotiation is disabled on client side.
await Assert.ThrowsAsync <IOException>(() => ssl.ReadAsync(message, 0, message.Length));
}
}
/// <summary>
/// Connect to the given host on the port asynchronously
/// </summary>
/// <param name="host">The host to connect to</param>
/// <param name="port">The port to use for communication</param>
public async Task ConnectAsync(string host, int port)
{
// Don't reconnect
if (_state == LDAPConnectionState.Connected)
{
return;
}
try
{
await _conn.ConnectAsync(host, port);
if (_sslEnabled)
{
_raw = _conn.GetStream();
var options = new SslClientAuthenticationOptions
{
TargetHost = host,
EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls,
ClientCertificates = null,
LocalCertificateSelectionCallback = null,
CertificateRevocationCheckMode = X509RevocationMode.NoCheck,
RemoteCertificateValidationCallback = (sender, cert, chain, errors) =>
{
// Accept all...bad idea
return(true);
},
ApplicationProtocols = new List <SslApplicationProtocol>()
{
SslApplicationProtocol.Http11
},
EncryptionPolicy = EncryptionPolicy.RequireEncryption,
};
_transport = new SslStream(_raw);
await(_transport as SslStream).AuthenticateAsClientAsync(options, CancellationToken.None);
Reader = new LDAPReader(_transport);
Writer = new LDAPWriter(_transport);
}
else
{
_raw = _conn.GetStream();
_transport = null;
Reader = new LDAPReader(_raw);
Writer = new LDAPWriter(_raw);
}
// Create the pump and start it
_pump = new MessagePump(Reader, _raw, _log);
_pump.Start();
_state = LDAPConnectionState.Connected;
}
catch (Exception e)
{
_state = LDAPConnectionState.Faulted;
throw new LDAPException("Failed to connect", e);
}
}
public static Task AuthenticateAsClientAsync(this SslStream stream,
bool async, SslClientAuthenticationOptions clientOptions,
CancellationToken cancellationToken = default)
{
return(async
? stream.AuthenticateAsClientAsync(clientOptions, cancellationToken)
: Task.Run(() => stream.AuthenticateAsClient(clientOptions)));
}
public async Task SslStream_SecondNegotiateClientCertificateAsync_Throws(bool sendClientCertificate)
{
using CancellationTokenSource cts = new CancellationTokenSource();
cts.CancelAfter(TestConfiguration.PassingTestTimeout);
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
{
return(sendClientCertificate ? clientCertificate : null);
};
SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions()
{
ServerCertificate = serverCertificate
};
serverOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
client.AuthenticateAsClientAsync(clientOptions, cts.Token),
server.AuthenticateAsServerAsync(serverOptions, cts.Token));
await TestHelper.PingPong(client, server, cts.Token);
Assert.Null(server.RemoteCertificate);
// Client needs to be reading for renegotiation to happen.
byte[] buffer = new byte[TestHelper.s_ping.Length];
ValueTask <int> t = client.ReadAsync(buffer, cts.Token);
await server.NegotiateClientCertificateAsync(cts.Token);
if (sendClientCertificate)
{
Assert.NotNull(server.RemoteCertificate);
}
else
{
Assert.Null(server.RemoteCertificate);
}
// Finish the client's read
await server.WriteAsync(TestHelper.s_ping, cts.Token);
await t;
await Assert.ThrowsAsync <InvalidOperationException>(() => server.NegotiateClientCertificateAsync());
}
}
// Constructor for outbound connections
internal MockConnection(IPEndPoint remoteEndPoint, SslClientAuthenticationOptions sslClientAuthenticationOptions, IPEndPoint localEndPoint = null)
{
_remoteEndPoint = remoteEndPoint;
_localEndPoint = localEndPoint;
_isClient = true;
_nextOutboundBidirectionalStream = 0;
_nextOutboundUnidirectionalStream = 2;
}
private static SocketsHttpHandler GetHttpClientHandler()
{
var sslOptions = new SslClientAuthenticationOptions
{
RemoteCertificateValidationCallback = (message, certificate, chain, sslErrors) =>
{
// direct to url with matching server certificate
if (sslErrors.ToString() == "None")
{
return(true);
}
// support Azure Function redirect
if (sslErrors.ToString() == "RemoteCertificateNameMismatch")
{
if (certificate == null)
{
throw new Exception($"Server Certificate Validation Failure: Certificate is Null");
}
else
{
// Issed by Microsoft
if (certificate.Issuer.Contains("O=Microsoft Corporation")
// Azure Function Host URL
&& certificate.Subject.Contains("CN=*.azurewebsites.net"))
{
return(true);
}
else
{
throw new Exception($"Server Certificate Validation Failure: Not Trusted Certificate - {certificate.Issuer}, {certificate.Subject}");
}
}
}
if (certificate == null)
{
throw new Exception($"Server Certificate Validation Failure: {sslErrors}");
}
else
{
throw new Exception($"Server Certificate Validation Failure: {sslErrors}, {certificate.Issuer}, {certificate.Subject}");
}
}
};
var socketHandler = new SocketsHttpHandler
{
PooledConnectionLifetime = TimeSpan.FromMinutes(1),
SslOptions = sslOptions
};
return(socketHandler);
}
public async ValueTask <Stream> GetClientStream(Socket socket)
{
var stream = new SslStream(new NetworkStream(socket), false);
var options = new SslClientAuthenticationOptions();
options.TargetHost = "supersocket";
options.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
await stream.AuthenticateAsClientAsync(options);
return(stream);
}
private static SslClientAuthenticationOptions ConstructSslOptions(HttpConnectionPoolManager poolManager, string sslHostName)
{
Debug.Assert(sslHostName != null);
SslClientAuthenticationOptions sslOptions = poolManager.Settings._sslOptions?.ShallowClone() ?? new SslClientAuthenticationOptions();
sslOptions.ApplicationProtocols = null; // explicitly ignore any ApplicationProtocols set
sslOptions.TargetHost = sslHostName; // always use the key's name rather than whatever was specified
return(sslOptions);
}
private static NegotiatedParams ConnectAndGetNegotiatedParams(ConnectionParams serverParams, ConnectionParams clientParams)
{
(Stream clientStream, Stream serverStream) = TestHelper.GetConnectedStreams();
using (clientStream)
using (serverStream)
using (SslStream server = new SslStream(serverStream, leaveInnerStreamOpen: false),
client = new SslStream(clientStream, leaveInnerStreamOpen: false))
{
var serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = Configuration.Certificates.GetSelfSignedServerCertificate();
serverOptions.EncryptionPolicy = serverParams.EncryptionPolicy;
serverOptions.EnabledSslProtocols = serverParams.SslProtocols;
serverOptions.CipherSuitesPolicy = serverParams.CipherSuitesPolicy;
var clientOptions = new SslClientAuthenticationOptions();
clientOptions.EncryptionPolicy = clientParams.EncryptionPolicy;
clientOptions.EnabledSslProtocols = clientParams.SslProtocols;
clientOptions.CipherSuitesPolicy = clientParams.CipherSuitesPolicy;
clientOptions.TargetHost = "test";
clientOptions.RemoteCertificateValidationCallback =
new RemoteCertificateValidationCallback((object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors) => {
return(true);
});
Exception failure = WaitForSecureConnection(client, clientOptions, server, serverOptions).GetAwaiter().GetResult();
if (failure == null)
{
// send some bytes, make sure they can talk
byte[] data = new byte[] { 1, 2, 3 };
byte[] receivedData = new byte[1];
Task serverTask = server.WriteAsync(data, 0, data.Length);
for (int i = 0; i < data.Length; i++)
{
Assert.True(client.ReadAsync(receivedData, 0, 1).Wait(TestConfiguration.PassingTestTimeoutMilliseconds),
$"Read task failed to finish in {TestConfiguration.PassingTestTimeoutMilliseconds}ms.");
Assert.Equal(data[i], receivedData[0]);
}
Assert.True(serverTask.Wait(TestConfiguration.PassingTestTimeoutMilliseconds),
$"WriteTask failed to finish in {TestConfiguration.PassingTestTimeoutMilliseconds}ms.");
return(new NegotiatedParams(server, client));
}
else
{
return(new NegotiatedParams(failure));
}
}
}
/// <summary>
/// Create an outbound QUIC connection.
/// </summary>
/// <param name="remoteEndPoint">The remote endpoint to connect to.</param>
/// <param name="sslClientAuthenticationOptions">TLS options</param>
/// <param name="localEndPoint">The local endpoint to connect from.</param>
/// <param name="mock">Use mock QUIC implementation.</param>
// !!! TEMPORARY FOR QUIC MOCK SUPPORT: Remove "mock" parameter before shipping
public QuicConnection(IPEndPoint remoteEndPoint, SslClientAuthenticationOptions sslClientAuthenticationOptions, IPEndPoint localEndPoint = null, bool mock = false)
{
// TODO: TLS handling
_mock = mock;
_remoteEndPoint = remoteEndPoint;
_localEndPoint = localEndPoint;
_isClient = true;
_nextOutboundBidirectionalStream = 0;
_nextOutboundUnidirectionalStream = 2;
}
private async ValueTask <(Socket, Stream, HttpResponseMessage)> ConnectAsync(HttpConnectionKind kind, HttpRequestMessage request, CancellationToken cancellationToken)
{
Stream stream = null;
switch (_kind)
{
case HttpConnectionKind.Http:
case HttpConnectionKind.Https:
case HttpConnectionKind.ProxyConnect:
stream = await ConnectAsync(request, cancellationToken).ConfigureAwait(false);
break;
case HttpConnectionKind.ProxyTunnel:
case HttpConnectionKind.SslProxyTunnel:
HttpResponseMessage response;
(stream, response) = await EstablishProxyTunnel(request.Headers.Any()?request.Headers : null, cancellationToken).ConfigureAwait(false);
if (response != null)
{
// Return non-success response from proxy.
response.RequestMessage = request;
return(null, null, response);
}
break;
}
Socket socket = (stream as ExposedSocketNetworkStream)?.Socket;
if (kind == HttpConnectionKind.Https || kind == HttpConnectionKind.SslProxyTunnel)
{
var sslOptions = new SslClientAuthenticationOptions();
sslOptions.TargetHost = _poolManager.settings.EndPointProvider.GetHost(_sslHost);
sslOptions.EnabledSslProtocols = SslProtocols.Tls11;
if (_poolManager.settings.RemoteCertificateValidationCallback != null)
{
sslOptions.RemoteCertificateValidationCallback = _poolManager.settings.RemoteCertificateValidationCallback;
}
else
{
sslOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
{
return(true);
};
}
sslOptions.ClientCertificates = _poolManager.settings.ClientCertificates;
SslStream sslStream = await EstablishSslConnectionAsync(sslOptions, request, stream, cancellationToken).ConfigureAwait(false);
stream = sslStream;
}
return(socket, stream, null);
}
private static NegotiatedParams ConnectAndGetNegotiatedParams(ConnectionParams serverParams, ConnectionParams clientParams)
{
VirtualNetwork vn = new VirtualNetwork();
using (VirtualNetworkStream serverStream = new VirtualNetworkStream(vn, isServer: true),
clientStream = new VirtualNetworkStream(vn, isServer: false))
using (SslStream server = new SslStream(serverStream, leaveInnerStreamOpen: false),
client = new SslStream(clientStream, leaveInnerStreamOpen: false))
{
var serverOptions = new SslServerAuthenticationOptions();
serverOptions.ServerCertificate = Configuration.Certificates.GetSelfSignedServerCertificate();
serverOptions.EncryptionPolicy = serverParams.EncryptionPolicy;
serverOptions.EnabledSslProtocols = serverParams.SslProtocols;
serverOptions.CipherSuitesPolicy = serverParams.CipherSuitesPolicy;
var clientOptions = new SslClientAuthenticationOptions();
clientOptions.EncryptionPolicy = clientParams.EncryptionPolicy;
clientOptions.EnabledSslProtocols = clientParams.SslProtocols;
clientOptions.CipherSuitesPolicy = clientParams.CipherSuitesPolicy;
clientOptions.TargetHost = "test";
clientOptions.RemoteCertificateValidationCallback =
new RemoteCertificateValidationCallback((object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors) => {
return(true);
});
Func <Task> serverTask = () => server.AuthenticateAsServerAsync(serverOptions, CancellationToken.None);
Func <Task> clientTask = () => client.AuthenticateAsClientAsync(clientOptions, CancellationToken.None);
Exception failure = WaitForSecureConnection(vn, serverTask, clientTask).Result;
if (failure == null)
{
// send some bytes, make sure they can talk
byte[] data = new byte[] { 1, 2, 3 };
server.WriteAsync(data, 0, data.Length);
for (int i = 0; i < data.Length; i++)
{
Assert.Equal(data[i], client.ReadByte());
}
return(new NegotiatedParams(server, client));
}
else
{
return(new NegotiatedParams(failure));
}
}
}
protected override IConnector GetConntector()
{
var authOptions = new SslClientAuthenticationOptions();
authOptions.EnabledSslProtocols = SslProtocols.Tls11 | SslProtocols.Tls12;
authOptions.TargetHost = IPAddress.Loopback.ToString();
authOptions.RemoteCertificateValidationCallback += (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
{
return(true);
};
return(new SocketConnector(new SslStreamConnector(authOptions)));
}
