private async Task ClientAsyncSslHelper(
EncryptionPolicy encryptionPolicy,
SslProtocols clientSslProtocols,
SslProtocols serverSslProtocols,
RemoteCertificateValidationCallback certificateCallback = null)
{
_log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols);
IPEndPoint endPoint = new IPEndPoint(IPAddress.Loopback, 0);
using (var server = new DummyTcpServer(endPoint, encryptionPolicy))
using (var client = new TcpClient())
{
server.SslProtocols = serverSslProtocols;
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
string serverName = TestHelper.GetTestSNIName(nameof(ClientAsyncSslHelper), clientSslProtocols, serverSslProtocols);
await client.ConnectAsync(server.RemoteEndPoint.Address, server.RemoteEndPoint.Port);
using (SslStream sslStream = new SslStream(client.GetStream(), false, certificateCallback != null ? certificateCallback : AllowAnyServerCertificate, null))
{
Task clientAuthTask = sslStream.AuthenticateAsClientAsync(serverName, null, clientSslProtocols, false);
await clientAuthTask.WaitAsync(TestConfiguration.PassingTestTimeout);
_log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength",
server.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength);
Assert.True(sslStream.CipherAlgorithm != CipherAlgorithmType.Null, "Cipher algorithm should not be NULL");
Assert.True(sslStream.CipherStrength > 0, "Cipher strength should be greater than 0");
}
}
}
public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols?clientProtocols, SslProtocols?serverProtocols)
{
using (X509Certificate2 serverCertificate = Configuration.Certificates.GetServerCertificate())
using (X509Certificate2 clientCertificate = Configuration.Certificates.GetClientCertificate())
{
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
string serverHost = TestHelper.GetTestSNIName(nameof(ClientAndServer_OneOrBothUseDefault_Ok), clientProtocols, serverProtocols);
var clientCertificates = new X509CertificateCollection()
{
clientCertificate
};
await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
AuthenticateClientAsync(serverHost, clientCertificates, checkCertificateRevocation : false, protocols : clientProtocols),
AuthenticateServerAsync(serverCertificate, clientCertificateRequired : true, checkCertificateRevocation : false, protocols : serverProtocols));
if (PlatformDetection.IsWindows && PlatformDetection.WindowsVersion >= 10 &&
#pragma warning disable 0618
clientProtocols.GetValueOrDefault() != SslProtocols.Default &&
serverProtocols.GetValueOrDefault() != SslProtocols.Default)
#pragma warning restore 0618
{
Assert.True(
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
(_clientStream.SslProtocol == SslProtocols.Tls11 && _clientStream.HashAlgorithm == HashAlgorithmType.Sha1) ||
#pragma warning restore SYSLIB0039
_clientStream.HashAlgorithm == HashAlgorithmType.Sha256 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha384 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha512,
_clientStream.SslProtocol + " " + _clientStream.HashAlgorithm);
}
}
}
private async Task ClientAsyncSslHelper(
EncryptionPolicy encryptionPolicy,
SslProtocols clientSslProtocols,
SslProtocols serverSslProtocols,
RemoteCertificateValidationCallback certificateCallback = null)
{
_log.WriteLine("Server: " + serverSslProtocols + "; Client: " + clientSslProtocols);
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
using (client)
using (server)
{
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
string serverName = TestHelper.GetTestSNIName(nameof(ClientAsyncSslHelper), clientSslProtocols, serverSslProtocols);
Task serverTask = default;
try
{
Task clientTask = client.AuthenticateAsClientAsync(new SslClientAuthenticationOptions
{
EnabledSslProtocols = clientSslProtocols,
RemoteCertificateValidationCallback = AllowAnyServerCertificate,
TargetHost = serverName
});
serverTask = server.AuthenticateAsServerAsync(new SslServerAuthenticationOptions
{
EncryptionPolicy = encryptionPolicy,
EnabledSslProtocols = serverSslProtocols,
ServerCertificate = TestConfiguration.ServerCertificate,
CertificateRevocationCheckMode = X509RevocationMode.NoCheck
});
await clientTask.WaitAsync(TestConfiguration.PassingTestTimeout);
_log.WriteLine("Client authenticated to server with encryption cipher: {0} {1}-bit strength",
client.CipherAlgorithm, client.CipherStrength);
Assert.True(client.CipherAlgorithm != CipherAlgorithmType.Null, "Cipher algorithm should not be NULL");
Assert.True(client.CipherStrength > 0, "Cipher strength should be greater than 0");
}
finally
{
// make sure we signal server in case of client failures
client.Close();
try
{
await serverTask;
}
catch (Exception ex)
{
// We generally don't care about server but can log exception to help diagnose test failures
_log.WriteLine(ex.ToString());
}
}
}
}
private async Task ServerAsyncSslHelper(
SslProtocols clientSslProtocols,
SslProtocols serverSslProtocols,
bool expectedToFail = false)
{
_log.WriteLine(
"Server: " + serverSslProtocols + "; Client: " + clientSslProtocols +
" expectedToFail: " + expectedToFail);
(NetworkStream clientStream, NetworkStream serverStream) = TestHelper.GetConnectedTcpStreams();
using (SslStream sslServerStream = new SslStream(
serverStream,
false,
AllowEmptyClientCertificate))
using (SslStream sslClientStream = new SslStream(
clientStream,
false,
delegate {
// Allow any certificate from the server.
// Note that simply ignoring exceptions from AuthenticateAsClientAsync() is not enough
// because in Mono, certificate validation is performed during the handshake and a failure
// would result in the connection being terminated before the handshake completed, thus
// making the server-side AuthenticateAsServerAsync() fail as well.
return(true);
}))
{
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
string serverName = TestHelper.GetTestSNIName(nameof(ServerAsyncSslHelper), clientSslProtocols, serverSslProtocols);
_log.WriteLine("Connected on {0} {1} ({2} {3})", clientStream.Socket.LocalEndPoint, clientStream.Socket.RemoteEndPoint, clientStream.Socket.Handle, serverStream.Socket.Handle);
_log.WriteLine("client SslStream#{0} server SslStream#{1}", sslClientStream.GetHashCode(), sslServerStream.GetHashCode());
_logVerbose.WriteLine("ServerAsyncAuthenticateTest.AuthenticateAsClientAsync start.");
Task clientAuthentication = sslClientStream.AuthenticateAsClientAsync(
serverName,
null,
clientSslProtocols,
false);
_logVerbose.WriteLine("ServerAsyncAuthenticateTest.AuthenticateAsServerAsync start.");
Task serverAuthentication = sslServerStream.AuthenticateAsServerAsync(
_serverCertificate,
true,
serverSslProtocols,
false);
try
{
await clientAuthentication.WaitAsync(TestConfiguration.PassingTestTimeout);
_logVerbose.WriteLine("ServerAsyncAuthenticateTest.clientAuthentication complete.");
}
catch (AuthenticationException ex)
{
// Ignore client-side errors: we're only interested in server-side behavior.
_log.WriteLine("Client exception : " + ex);
clientStream.Socket.Shutdown(SocketShutdown.Send);
}
await serverAuthentication.WaitAsync(TestConfiguration.PassingTestTimeout);
_logVerbose.WriteLine("ServerAsyncAuthenticateTest.serverAuthentication complete.");
_log.WriteLine(
"Server({0}) authenticated with encryption cipher: {1} {2}-bit strength",
serverStream.Socket.LocalEndPoint,
sslServerStream.CipherAlgorithm,
sslServerStream.CipherStrength);
Assert.True(
sslServerStream.CipherAlgorithm != CipherAlgorithmType.Null,
"Cipher algorithm should not be NULL");
Assert.True(sslServerStream.CipherStrength > 0, "Cipher strength should be greater than 0");
}
}
