public void ClientCertificateOptions_InvalidArg_ThrowsException(ClientCertificateOption option)
{
using (var handler = new HttpClientHandler())
{
Assert.Throws<ArgumentOutOfRangeException>("value", () => handler.ClientCertificateOptions = option);
}
}
public HttpClientHandler()
{
_rtFilter = new RTHttpBaseProtocolFilter();
_handlerToFilter = new HttpHandlerToFilter(_rtFilter);
_handlerToFilter.RequestMessageLookupKey = RequestMessageLookupKey;
_handlerToFilter.SavedExceptionDispatchInfoLookupKey = SavedExceptionDispatchInfoLookupKey;
_diagnosticsPipeline = new DiagnosticsHandler(_handlerToFilter);
_clientCertificateOptions = ClientCertificateOption.Manual;
// Always turn off WinRT cookie processing if the WinRT API supports turning it off.
// Use .NET CookieContainer handling only.
if (RTCookieUsageBehaviorSupported)
{
_rtFilter.CookieUsageBehavior = RTHttpCookieUsageBehavior.NoCookies;
}
_useCookies = true; // deal with cookies by default.
_cookieContainer = new CookieContainer(); // default container used for dealing with auto-cookies.
// Managed at this layer for granularity, but uses the desktop default.
_rtFilter.AutomaticDecompression = false;
_automaticDecompression = DecompressionMethods.None;
// We don't support using the UI model in HttpBaseProtocolFilter() especially for auto-handling 401 responses.
_rtFilter.AllowUI = false;
// The .NET Desktop System.Net Http APIs (based on HttpWebRequest/HttpClient) uses no caching by default.
// To preserve app-compat, we turn off caching in the WinRT HttpClient APIs.
_rtFilter.CacheControl.ReadBehavior = RTNoCacheSupported ?
RTHttpCacheReadBehavior.NoCache : RTHttpCacheReadBehavior.MostRecent;
_rtFilter.CacheControl.WriteBehavior = RTHttpCacheWriteBehavior.NoCache;
}
public HttpClientHandler()
{
_startRequest = StartRequest;
_getRequestStreamCallback = GetRequestStreamCallback;
_getResponseCallback = GetResponseCallback;
_connectionGroupName = RuntimeHelpers.GetHashCode(this).ToString(NumberFormatInfo.InvariantInfo);
// Set HWR default values
_allowAutoRedirect = true;
_maxRequestContentBufferSize = HttpContent.MaxBufferSize;
_automaticDecompression = DecompressionMethods.None;
_cookieContainer = new CookieContainer(); // default container used for dealing with auto-cookies.
_credentials = null;
_maxAutomaticRedirections = 50;
_preAuthenticate = false;
_proxy = null;
_useProxy = true;
_useCookies = true; // deal with cookies by default.
_useDefaultCredentials = false;
_clientCertOptions = ClientCertificateOption.Manual;
// New properties not in .NET Framework HttpClientHandler.
_maxResponseHeadersLength = HttpWebRequest.DefaultMaximumResponseHeadersLength;
_defaultProxyCredentials = null;
_clientCertificates = null; // only create collection when required.
_properties = null; // only create collection when required.
_maxConnectionsPerServer = ServicePointManager.DefaultConnectionLimit;
_serverCertificateCustomValidationCallback = null;
}
public HttpClientHandler()
{
_rtFilter = new RTHttpBaseProtocolFilter();
_handlerToFilter = new HttpHandlerToFilter(_rtFilter);
_diagnosticsPipeline = new DiagnosticsHandler(_handlerToFilter);
_clientCertificateOptions = ClientCertificateOption.Manual;
InitRTCookieUsageBehavior();
_useCookies = true; // deal with cookies by default.
_cookieContainer = new CookieContainer(); // default container used for dealing with auto-cookies.
// Managed at this layer for granularity, but uses the desktop default.
_rtFilter.AutomaticDecompression = false;
_automaticDecompression = DecompressionMethods.None;
// Set initial proxy credentials based on default system proxy.
SetProxyCredential(null);
// We don't support using the UI model in HttpBaseProtocolFilter() especially for auto-handling 401 responses.
_rtFilter.AllowUI = false;
// The .NET Desktop System.Net Http APIs (based on HttpWebRequest/HttpClient) uses no caching by default.
// To preserve app-compat, we turn off caching (as much as possible) in the WinRT HttpClient APIs.
// TODO (#7877): use RTHttpCacheReadBehavior.NoCache when available in the next version of WinRT HttpClient API.
_rtFilter.CacheControl.ReadBehavior = RTHttpCacheReadBehavior.MostRecent;
_rtFilter.CacheControl.WriteBehavior = RTHttpCacheWriteBehavior.NoCache;
}
public void ClientCertificateOptions_InvalidArg_ThrowsException(ClientCertificateOption option)
{
using (HttpClientHandler handler = CreateHttpClientHandler())
{
AssertExtensions.Throws <ArgumentOutOfRangeException>("value", () => handler.ClientCertificateOptions = option);
}
}
public void ClientCertificateOptions_ValueArg_Roundtrips(ClientCertificateOption option)
{
using (var handler = new HttpClientHandler())
{
handler.ClientCertificateOptions = option;
Assert.Equal(option, handler.ClientCertificateOptions);
}
}
public void ClientCertificateOptions_ValueArg_Roundtrips(ClientCertificateOption option)
{
using (HttpClientHandler handler = CreateHttpClientHandler())
{
handler.ClientCertificateOptions = option;
Assert.Equal(option, handler.ClientCertificateOptions);
}
}
/// <summary>Creates an instance of a <see cref="T:NMasters.Silverlight.Net.Http.Handlers.HttpClientHandler" /> class.</summary>
public HttpClientHandler()
{
this.allowAutoRedirect = true;
this.maxRequestContentBufferSize = 0x7fffffff;
this.cookieContainer = new CookieContainer();
this.credentials = null;
this.maxAutomaticRedirections = 50;
this.preAuthenticate = false;
this.useCookies = true;
this.useDefaultCredentials = false;
this.clientCertOptions = ClientCertificateOption.Manual;
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
// Disable SSLv2/SSLv3, allow TLSv1.*
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSLVERSION, (long)Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1);
IntPtr userPointer = IntPtr.Zero;
if (clientCertOption == ClientCertificateOption.Automatic)
{
ClientCertificateProvider certProvider = new ClientCertificateProvider();
userPointer = GCHandle.ToIntPtr(certProvider._gcHandle);
easy.Task.ContinueWith((_, state) => ((IDisposable)state).Dispose(),
certProvider,
CancellationToken.None,
TaskContinuationOptions.ExecuteSynchronously,
TaskScheduler.Default);
}
else
{
Debug.Assert(clientCertOption == ClientCertificateOption.Manual, "ClientCertificateOption is manual or automatic");
}
CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
switch (answer)
{
case CURLcode.CURLE_OK:
break;
// Curl 7.38 and prior
case CURLcode.CURLE_UNKNOWN_OPTION:
// Curl 7.39 and later
case CURLcode.CURLE_NOT_BUILT_IN:
EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported. Platform default HTTPS chain building in use");
if (clientCertOption == ClientCertificateOption.Automatic)
{
throw new PlatformNotSupportedException(SR.net_http_unix_invalid_client_cert_option);
}
break;
default:
ThrowIfCURLEError(answer);
break;
}
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
// Disable SSLv2/SSLv3, allow TLSv1.*
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSLVERSION, (long)Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1);
IntPtr userPointer = IntPtr.Zero;
if (clientCertOption == ClientCertificateOption.Automatic)
{
ClientCertificateProvider certProvider = new ClientCertificateProvider();
userPointer = GCHandle.ToIntPtr(certProvider._gcHandle);
easy.Task.ContinueWith((_, state) => ((IDisposable)state).Dispose(),
certProvider,
CancellationToken.None,
TaskContinuationOptions.ExecuteSynchronously,
TaskScheduler.Default);
}
else
{
Debug.Assert(clientCertOption == ClientCertificateOption.Manual, "ClientCertificateOption is manual or automatic");
}
CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
switch (answer)
{
case CURLcode.CURLE_OK:
break;
// Curl 7.38 and prior
case CURLcode.CURLE_UNKNOWN_OPTION:
// Curl 7.39 and later
case CURLcode.CURLE_NOT_BUILT_IN:
EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported. Platform default HTTPS chain building in use");
if (clientCertOption == ClientCertificateOption.Automatic)
{
throw new PlatformNotSupportedException(SR.net_http_unix_invalid_client_cert_option);
}
break;
default:
ThrowIfCURLEError(answer);
break;
}
}
public HttpClientHandler()
{
_rtFilter = CreateFilter();
_handlerToFilter = new HttpHandlerToFilter(_rtFilter, this);
_handlerToFilter.RequestMessageLookupKey = RequestMessageLookupKey;
_handlerToFilter.SavedExceptionDispatchInfoLookupKey = SavedExceptionDispatchInfoLookupKey;
_diagnosticsPipeline = new DiagnosticsHandler(_handlerToFilter);
_clientCertificateOptions = ClientCertificateOption.Manual;
_useCookies = true; // deal with cookies by default.
_cookieContainer = new CookieContainer(); // default container used for dealing with auto-cookies.
_allowAutoRedirect = true;
_maxAutomaticRedirections = 50;
_automaticDecompression = DecompressionMethods.None;
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
EventSourceTrace("ClientCertificateOption: {0}", clientCertOption, easy: easy);
Debug.Assert(clientCertOption == ClientCertificateOption.Automatic || clientCertOption == ClientCertificateOption.Manual);
// Create a client certificate provider if client certs may be used.
X509Certificate2Collection clientCertificates = easy._handler._clientCertificates;
ClientCertificateProvider certProvider =
clientCertOption == ClientCertificateOption.Automatic ? new ClientCertificateProvider(null) : // automatic
clientCertificates?.Count > 0 ? new ClientCertificateProvider(clientCertificates) : // manual with certs
null; // manual without certs
IntPtr userPointer = IntPtr.Zero;
if (certProvider != null)
{
EventSourceTrace("Created certificate provider", easy: easy);
// The client cert provider needs to be passed through to the callback, and thus
// we create a GCHandle to keep it rooted. This handle needs to be cleaned up
// when the request has completed, and a simple and pay-for-play way to do that
// is by cleaning it up in a continuation off of the request.
userPointer = GCHandle.ToIntPtr(certProvider._gcHandle);
easy.Task.ContinueWith((_, state) => ((IDisposable)state).Dispose(), certProvider,
CancellationToken.None, TaskContinuationOptions.ExecuteSynchronously, TaskScheduler.Default);
}
// Configure the options. Our best support is when targeting OpenSSL/1.0. For other backends,
// we fall back to a minimal amount of support, and may throw a PNSE based on the options requested.
if (Interop.Http.HasMatchingOpenSslVersion)
{
// Register the callback with libcurl. We need to register even if there's no user-provided
// server callback and even if there are no client certificates, because we support verifying
// server certificates against more than those known to OpenSSL.
SetSslOptionsForSupportedBackend(easy, certProvider, userPointer);
}
else
{
// Newer versions of OpenSSL, and other non-OpenSSL backends, do not currently support callbacks.
// That means we'll throw a PNSE if a callback is required.
SetSslOptionsForUnsupportedBackend(easy, certProvider);
}
}
private IResponse Invoke(UrlBuilder url, HttpMethod method, HttpContent content, IBindingSession session,
long?offset, long?length, IDictionary <string, string> headers)
{
if (Logger.IsDebugEnabled)
{
Logger.Debug("HTTP: " + method.ToString() + " " + url.ToString());
}
IPortableAuthenticationProvider authProvider = session.GetAuthenticationProvider() as IPortableAuthenticationProvider;
HttpClient httpClient = session.GetValue(InvokerHttpClient) as HttpClient;
if (httpClient == null)
{
lock (invokerLock)
{
httpClient = session.GetValue(InvokerHttpClient) as HttpClient;
if (httpClient == null)
{
// create a HTTP client handler
HttpClientHandler httpClientHandler = null;
if (authProvider != null)
{
httpClientHandler = authProvider.CreateHttpClientHandler();
}
if (httpClientHandler == null)
{
httpClientHandler = new HttpClientHandler();
}
// redirects
if (httpClientHandler.SupportsRedirectConfiguration)
{
httpClientHandler.AllowAutoRedirect = false;
}
// compression
if (httpClientHandler.SupportsAutomaticDecompression)
{
string compressionFlag = session.GetValue(SessionParameter.Compression) as string;
if (compressionFlag != null && compressionFlag.ToLowerInvariant().Equals("true"))
{
httpClientHandler.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;
}
}
// authentication
httpClientHandler.PreAuthenticate = true;
httpClientHandler.UseDefaultCredentials = false;
// authentication provider
if (authProvider != null)
{
authProvider.PrepareHttpClientHandler(httpClientHandler);
}
string sslProtocols = SessionParameterDefaults.SslProtocol;
string clientCertificateOption = SessionParameterDefaults.ClientCertificateOption;
SslProtocols prot = SslProtocols.None;
ClientCertificateOption clientOption = ClientCertificateOption.Manual;
object sslProtocolsobj = session.GetValue(SessionParameter.SslProtocols, SessionParameterDefaults.SslProtocol);
object clientCertificateOptionObj = session.GetValue(SessionParameter.ClientCertificateOption, SessionParameterDefaults.ClientCertificateOption);
if (sslProtocolsobj != null)
{
sslProtocols = $"{sslProtocolsobj}";
if (!string.IsNullOrWhiteSpace(sslProtocols))
{
if (Enum.TryParse <SslProtocols>(sslProtocols, out SslProtocols result))
{
prot = result;
}
}
}
if (clientCertificateOptionObj != null)
{
clientCertificateOption = $"{clientCertificateOptionObj}";
if (!string.IsNullOrWhiteSpace(clientCertificateOption))
{
if (Enum.TryParse <ClientCertificateOption>(clientCertificateOption, out ClientCertificateOption result))
{
clientOption = result;
}
}
}
httpClientHandler.ClientCertificateOptions = clientOption;
httpClientHandler.SslProtocols = prot;
httpClientHandler.ServerCertificateCustomValidationCallback =
(httpRequestMessage, cert, cetChain, policyErrors) =>
{
return(true);
};
// create HttpClient
httpClient = new HttpClient(httpClientHandler, true);
// timeouts
int connectTimeout = session.GetValue(SessionParameter.ConnectTimeout, -2);
if (connectTimeout >= -1)
{
httpClient.Timeout = TimeSpan.FromMilliseconds(connectTimeout);
}
session.PutValue(InvokerHttpClient, httpClient);
}
}
}
HttpRequestMessage request = new HttpRequestMessage(method, url.ToString());
try
{
// set additional headers
string userAgent = session.GetValue(SessionParameter.UserAgent) as string;
request.Headers.UserAgent.Add(ProductInfoHeaderValue.Parse(userAgent ?? ClientVersion.UserAgent));
if (headers != null)
{
foreach (KeyValuePair <string, string> header in headers)
{
request.Headers.TryAddWithoutValidation(header.Key, header.Value);
}
}
// range
if (offset != null && length != null)
{
long longOffset = offset.Value < 0 ? 0 : offset.Value;
if (length.Value > 0)
{
request.Headers.Range = new RangeHeaderValue(longOffset, longOffset + length.Value - 1);
}
else
{
request.Headers.Range = new RangeHeaderValue(longOffset, null);
}
}
else if (offset != null && offset.Value > 0)
{
request.Headers.Range = new RangeHeaderValue(offset, null);
}
// content
if (content != null)
{
request.Headers.TransferEncodingChunked = true;
request.Content = content;
}
// authentication provider
if (authProvider != null)
{
authProvider.PrepareHttpRequestMessage(request);
}
Response response;
try
{
Task <HttpResponseMessage> task = Send(httpClient, request);
if (task.IsFaulted)
{
throw task.Exception;
}
else
{
HttpResponseMessage httpResponseMessage = task.Result;
if (authProvider != null)
{
authProvider.HandleResponse(httpResponseMessage);
}
response = new Response(httpResponseMessage);
}
}
catch (Exception e)
{
throw new CmisConnectionException("Cannot access " + url + ": " + e.Message, e);
}
return(response);
}
finally
{
request.Dispose();
}
}
public async Task AutomaticOrManual_DoesntFailRegardlessOfWhetherClientCertsAreAvailable(ClientCertificateOption mode)
{
if (!BackendSupportsCustomCertificateHandling) // can't use [Conditional*] right now as it's evaluated at the wrong time for SocketsHttpHandler
{
_output.WriteLine($"Skipping {nameof(AutomaticOrManual_DoesntFailRegardlessOfWhetherClientCertsAreAvailable)}()");
return;
}
using (HttpClientHandler handler = CreateHttpClientHandler())
using (var client = new HttpClient(handler))
{
handler.ServerCertificateCustomValidationCallback = delegate { return(true); };
handler.ClientCertificateOptions = mode;
await LoopbackServer.CreateServerAsync(async server =>
{
Task clientTask = client.GetStringAsync(server.Uri);
Task serverTask = server.AcceptConnectionAsync(async connection =>
{
SslStream sslStream = Assert.IsType <SslStream>(connection.Stream);
await connection.ReadRequestHeaderAndSendResponseAsync();
});
await new Task[] { clientTask, serverTask }.WhenAllOrAnyFailed();
}, new LoopbackServer.Options {
UseSsl = true
});
}
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
Debug.Assert(
clientCertOption == ClientCertificateOption.Automatic ||
clientCertOption == ClientCertificateOption.Manual);
// Create a client certificate provider if client certs may be used.
X509Certificate2Collection clientCertificates = easy._handler._clientCertificates;
if (clientCertOption != ClientCertificateOption.Manual || clientCertificates?.Count > 0)
{
// libcurl does not have an option of accepting a SecIdentityRef via an input option,
// only via writing it to a file and letting it load the PFX.
// This would require that a) we write said file, and b) that it contaminate the default
// keychain (because their PFX loader loads to the default keychain).
throw new PlatformNotSupportedException(SR.net_http_libcurl_clientcerts_notsupported_os);
}
// Revocation checking is always on for darwinssl (SecureTransport).
// If any other backend is used and revocation is requested, we can't guarantee
// that assertion.
if (easy._handler.CheckCertificateRevocationList &&
!CurlSslVersionDescription.Equals(Interop.Http.SecureTransportDescription))
{
throw new PlatformNotSupportedException(
SR.Format(
SR.net_http_libcurl_revocation_notsupported_sslbackend,
CurlVersionDescription,
CurlSslVersionDescription,
Interop.Http.SecureTransportDescription));
}
if (easy._handler.ServerCertificateCustomValidationCallback != null)
{
// libcurl (as of 7.49.1) does not have any callback which can be registered which fires
// between the time that a TLS/SSL handshake has offered up the server certificate and the
// time that the HTTP request headers are written. Were there any callback, the option
// CURLINFO_TLS_SSL_PTR could be queried (and the backend identifier validated to be
// CURLSSLBACKEND_DARWINSSL). Then the SecTrustRef could be extracted to build the chain,
// a la SslStream.
//
// Without the callback the matrix looks like:
// * If default-trusted and callback-would-trust: No difference (except side effects, like logging).
// * If default-trusted and callback-would-block: Data would have been sent in violation of user trust.
// * If not-default-trusted and callback-would-not-trust: No difference (except side effects).
// * If not-default-trusted and callback-would-trust: No data sent, which doesn't match user desires.
//
// Of the two "different" cases, sending when we shouldn't is worse, so that's the direction we
// have to cater to. So we'll use default trust, and throw on any custom callback.
//
// The situation where system trust fails can be remedied by including the certificate into the
// user's keychain and setting the SSL policy trust for it to "Always Trust".
// Similarly, the "block this" could be attained by setting the SSL policy for a cert in the
// keychain to "Never Trust".
//
// However, one case we can support is when we know all certificates will pass validation.
// We can detect a key case of that: whether DangerousAcceptAnyServerCertificateValidator was used.
if (easy.ServerCertificateValidationCallbackAcceptsAll)
{
EventSourceTrace("Warning: Disabling peer verification per {0}", nameof(HttpClientHandler.DangerousAcceptAnyServerCertificateValidator), easy: easy);
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYPEER, 0); // don't verify the peer
// Don't set CURLOPT_SSL_VERIFHOST to 0; doing so disables SNI with SecureTransport backend.
if (!CurlSslVersionDescription.Equals(Interop.Http.SecureTransportDescription))
{
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0); // don't verify the hostname
}
}
else
{
throw new PlatformNotSupportedException(SR.net_http_libcurl_callback_notsupported_os);
}
}
SetSslVersion(easy);
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
Debug.Assert(clientCertOption == ClientCertificateOption.Automatic || clientCertOption == ClientCertificateOption.Manual);
// Create a client certificate provider if client certs may be used.
X509Certificate2Collection clientCertificates = easy._handler._clientCertificates;
ClientCertificateProvider certProvider =
clientCertOption == ClientCertificateOption.Automatic ? new ClientCertificateProvider(null) : // automatic
clientCertificates?.Count > 0 ? new ClientCertificateProvider(clientCertificates) : // manual with certs
null; // manual without certs
IntPtr userPointer = IntPtr.Zero;
if (certProvider != null)
{
// The client cert provider needs to be passed through to the callback, and thus
// we create a GCHandle to keep it rooted. This handle needs to be cleaned up
// when the request has completed, and a simple and pay-for-play way to do that
// is by cleaning it up in a continuation off of the request.
userPointer = GCHandle.ToIntPtr(certProvider._gcHandle);
easy.Task.ContinueWith((_, state) => ((IDisposable)state).Dispose(), certProvider,
CancellationToken.None, TaskContinuationOptions.ExecuteSynchronously, TaskScheduler.Default);
}
// Register the callback with libcurl. We need to register even if there's no user-provided
// server callback and even if there are no client certificates, because we support verifying
// server certificates against more than those known to OpenSSL.
CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
switch (answer)
{
case CURLcode.CURLE_OK:
// We successfully registered. If we'll be invoking a user-provided callback to verify the server
// certificate as part of that, disable libcurl's verification of the host name. The user's callback
// needs to be given the opportunity to examine the cert, and our logic will determine whether
// the host name matches and will inform the callback of that.
if (easy._handler.ServerCertificateValidationCallback != null)
{
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0); // don't verify the peer cert's hostname
// We don't change the SSL_VERIFYPEER setting, as setting it to 0 will cause
// SSL and libcurl to ignore the result of the server callback.
}
// The allowed SSL protocols will be set in the configuration callback.
break;
case CURLcode.CURLE_UNKNOWN_OPTION: // Curl 7.38 and prior
case CURLcode.CURLE_NOT_BUILT_IN: // Curl 7.39 and later
// It's ok if we failed to register the callback if all of the defaults are in play
// with relation to handling of certificates. But if that's not the case, failing to
// register the callback will result in those options not being factored in, which is
// a significant enough error that we need to fail.
EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported: {0}", answer, easy: easy);
if (certProvider != null ||
easy._handler.ServerCertificateValidationCallback != null ||
easy._handler.CheckCertificateRevocationList)
{
throw new PlatformNotSupportedException(
SR.Format(SR.net_http_unix_invalid_certcallback_option, CurlVersionDescription, CurlSslVersionDescription));
}
// Since there won't be a callback to configure the allowed SSL protocols, configure them here.
SetSslVersion(easy);
break;
default:
ThrowIfCURLEError(answer);
break;
}
}
private async Task<HttpResponseMessage> SendGetRequest(OwinHttpListener listener, string address, ClientCertificateOption certOptions)
{
using (listener)
{
var handler = new WebRequestHandler();
// Ignore server cert errors.
handler.ServerCertificateValidationCallback = (a, b, c, d) => true;
handler.ClientCertificateOptions = certOptions;
var client = new HttpClient(handler);
return await client.GetAsync(address);
}
}
internal static void SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
{
Debug.Assert(clientCertOption == ClientCertificateOption.Automatic || clientCertOption == ClientCertificateOption.Manual);
// Create a client certificate provider if client certs may be used.
X509Certificate2Collection clientCertificates = easy._handler._clientCertificates;
ClientCertificateProvider certProvider =
clientCertOption == ClientCertificateOption.Automatic ? new ClientCertificateProvider(null) : // automatic
clientCertificates?.Count > 0 ? new ClientCertificateProvider(clientCertificates) : // manual with certs
null; // manual without certs
IntPtr userPointer = IntPtr.Zero;
if (certProvider != null)
{
// The client cert provider needs to be passed through to the callback, and thus
// we create a GCHandle to keep it rooted. This handle needs to be cleaned up
// when the request has completed, and a simple and pay-for-play way to do that
// is by cleaning it up in a continuation off of the request.
userPointer = GCHandle.ToIntPtr(certProvider._gcHandle);
easy.Task.ContinueWith((_, state) => ((IDisposable)state).Dispose(), certProvider,
CancellationToken.None, TaskContinuationOptions.ExecuteSynchronously, TaskScheduler.Default);
}
// Register the callback with libcurl. We need to register even if there's no user-provided
// server callback and even if there are no client certificates, because we support verifying
// server certificates against more than those known to OpenSSL.
CURLcode answer = easy.SetSslCtxCallback(s_sslCtxCallback, userPointer);
switch (answer)
{
case CURLcode.CURLE_OK:
// We successfully registered. If we'll be invoking a user-provided callback to verify the server
// certificate as part of that, disable libcurl's verification of the host name. The user's callback
// needs to be given the opportunity to examine the cert, and our logic will determine whether
// the host name matches and will inform the callback of that.
if (easy._handler.ServerCertificateValidationCallback != null)
{
easy.SetCurlOption(Interop.Http.CURLoption.CURLOPT_SSL_VERIFYHOST, 0); // don't verify the peer cert's hostname
// We don't change the SSL_VERIFYPEER setting, as setting it to 0 will cause
// SSL and libcurl to ignore the result of the server callback.
}
// The allowed SSL protocols will be set in the configuration callback.
break;
case CURLcode.CURLE_UNKNOWN_OPTION: // Curl 7.38 and prior
case CURLcode.CURLE_NOT_BUILT_IN: // Curl 7.39 and later
// It's ok if we failed to register the callback if all of the defaults are in play
// with relation to handling of certificates. But if that's not the case, failing to
// register the callback will result in those options not being factored in, which is
// a significant enough error that we need to fail.
EventSourceTrace("CURLOPT_SSL_CTX_FUNCTION not supported: {0}", answer);
if (certProvider != null ||
easy._handler.ServerCertificateValidationCallback != null ||
easy._handler.CheckCertificateRevocationList)
{
throw new PlatformNotSupportedException(
SR.Format(SR.net_http_unix_invalid_certcallback_option, CurlVersionDescription, CurlSslVersionDescription));
}
// Since there won't be a callback to configure the allowed SSL protocols, configure them here.
SetSslVersion(easy);
break;
default:
ThrowIfCURLEError(answer);
break;
}
}
public static IHttpClientBuilder WithClientCertificateOptions(this IHttpClientBuilder builder, ClientCertificateOption options)
{
return(builder.WithConfiguration(s => s.ClientCertificateOptions = options));
}
private void SetClientCertificateOptions(ClientCertificateOption value) => InvokeNativeHandlerMethod("set_ClientCertificateOptions", value);
public HttpClientHandler()
{
this.rtFilter = new RTHttpBaseProtocolFilter();
this.handlerToFilter = new HttpHandlerToFilter(this.rtFilter);
this.clientCertificateOptions = ClientCertificateOption.Manual;
InitRTCookieUsageBehavior();
this.useCookies = true; // deal with cookies by default.
this.cookieContainer = new CookieContainer(); // default container used for dealing with auto-cookies.
// Managed at this layer for granularity, but uses the desktop default.
this.rtFilter.AutomaticDecompression = false;
this.automaticDecompression = DecompressionMethods.None;
// Set initial proxy credentials based on default system proxy.
SetProxyCredential(null);
// We don't support using the UI model in HttpBaseProtocolFilter() especially for auto-handling 401 responses.
this.rtFilter.AllowUI = false;
// The .NET Desktop System.Net Http APIs (based on HttpWebRequest/HttpClient) uses no caching by default.
// To preserve app-compat, we turn off caching (as much as possible) in the WinRT HttpClient APIs.
// TODO (#7877): use RTHttpCacheReadBehavior.NoCache when available in the next version of WinRT HttpClient API.
this.rtFilter.CacheControl.ReadBehavior = RTHttpCacheReadBehavior.MostRecent;
this.rtFilter.CacheControl.WriteBehavior = RTHttpCacheWriteBehavior.NoCache;
}
public async Task AutomaticOrManual_DoesntFailRegardlessOfWhetherClientCertsAreAvailable(ClientCertificateOption mode)
{
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
{
handler.ServerCertificateCustomValidationCallback = TestHelper.AllowAllCertificates;
handler.ClientCertificateOptions = mode;
await LoopbackServer.CreateServerAsync(async server =>
{
Task clientTask = client.GetStringAsync(server.Address);
Task serverTask = server.AcceptConnectionAsync(async connection =>
{
SslStream sslStream = Assert.IsType <SslStream>(connection.Stream);
await connection.ReadRequestHeaderAndSendResponseAsync();
});
await new Task[] { clientTask, serverTask }.WhenAllOrAnyFailed();
}, new LoopbackServer.Options {
UseSsl = true
});
}
}
