public async Task SslStream_ServerEKUClientAuth_Fails() { var serverOptions = new HttpsTestServer.Options(); serverOptions.ServerCertificate = serverCertificateServerEku; serverOptions.RequireClientAuthentication = true; using (var server = new HttpsTestServer(serverOptions)) { server.Start(); var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port)); clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false); clientOptions.ClientCertificate = clientCertificateWrongEku; var client = new HttpsTestClient(clientOptions); var tasks = new Task[2]; tasks[0] = server.AcceptHttpsClientAsync(); tasks[1] = client.HttpsRequestAsync(); await Assert.ThrowsAsync <AuthenticationException>(() => tasks[0]); if (OperatingSystem.IsWindows()) { // IOException is thrown when trying to read from a disconnected socket. await Assert.ThrowsAsync <IOException>(() => tasks[1]); } else { // Zero bytes read by client on disconnected socket. await Assert.ThrowsAsync <InvalidOperationException>(() => tasks[1]); } } }
public async Task SslStream_SelfSignedClientEKUClientAuth_Ok() { var serverOptions = new HttpsTestServer.Options(); serverOptions.ServerCertificate = serverCertificateServerEku; serverOptions.RequireClientAuthentication = true; serverOptions.IgnoreSslPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors; using (var server = new HttpsTestServer(serverOptions)) { server.Start(); var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port)); clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false); clientOptions.ClientCertificate = Configuration.Certificates.GetSelfSignedClientCertificate(); var client = new HttpsTestClient(clientOptions); var tasks = new Task[2]; tasks[0] = server.AcceptHttpsClientAsync(); tasks[1] = client.HttpsRequestAsync(); await Task.WhenAll(tasks).WaitAsync(TimeSpan.FromMilliseconds(TestTimeoutMilliseconds)); } }
public async Task SslStream_ClientEKUServerAuth_Fails() { var serverOptions = new HttpsTestServer.Options(); serverOptions.ServerCertificate = serverCertificateWrongEku; using (var server = new HttpsTestServer(serverOptions)) { server.Start(); var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port)); clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false); var client = new HttpsTestClient(clientOptions); var tasks = new Task[2]; tasks[0] = server.AcceptHttpsClientAsync(); tasks[1] = client.HttpsRequestAsync(); var exception = await Assert.ThrowsAsync <AuthenticationException>(() => tasks[1]); } }
public async Task SslStream_NoEKUServerAuth_Ok() { var serverOptions = new HttpsTestServer.Options(); serverOptions.ServerCertificate = serverCertificateNoEku; using (var server = new HttpsTestServer(serverOptions)) { server.Start(); var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port)); clientOptions.ServerName = serverOptions.ServerCertificate.GetNameInfo(X509NameType.SimpleName, false); var client = new HttpsTestClient(clientOptions); var tasks = new Task[2]; tasks[0] = server.AcceptHttpsClientAsync(); tasks[1] = client.HttpsRequestAsync(); await Task.WhenAll(tasks).WaitAsync(TimeSpan.FromMilliseconds(TestTimeoutMilliseconds)); } }
public async Task SslStream_ClientAndServerUsesAuxRecord_Ok() { using (var server = new HttpsTestServer()) { server.Start(); var tasks = new Task[2]; bool serverAuxRecordDetected = false; bool serverAuxRecordDetectedInconclusive = false; int serverTotalBytesReceived = 0; int serverChunks = 0; tasks[0] = server.AcceptHttpsClientAsync((requestString) => { serverTotalBytesReceived += requestString.Length; if (serverTotalBytesReceived == 1 && serverChunks == 0) { serverAuxRecordDetected = true; } serverChunks++; // Test is inconclusive if any non-CBC cipher is used: if (server.Stream.CipherAlgorithm == CipherAlgorithmType.None || server.Stream.CipherAlgorithm == CipherAlgorithmType.Null || server.Stream.CipherAlgorithm == CipherAlgorithmType.Rc4) { serverAuxRecordDetectedInconclusive = true; } if (serverTotalBytesReceived < 5) { return(Task.FromResult <string>(null)); } else { return(Task.FromResult(HttpsTestServer.Options.DefaultResponseString)); } }); var clientOptions = new HttpsTestClient.Options(new IPEndPoint(IPAddress.Loopback, server.Port)); clientOptions.AllowedProtocols = SslProtocols.Tls; clientOptions.IgnoreSslPolicyErrors = SslPolicyErrors.RemoteCertificateNameMismatch | SslPolicyErrors.RemoteCertificateChainErrors; var client = new HttpsTestClient(clientOptions); bool clientAuxRecordDetected = false; bool clientAuxRecordDetectedInconclusive = false; int clientTotalBytesReceived = 0; int clientChunks = 0; tasks[1] = client.HttpsRequestAsync((responseString) => { if (responseString == null) { string requestString = string.Format( HttpsTestClient.Options.DefaultRequestStringTemplate, clientOptions.ServerName); return(Task.FromResult(requestString)); } clientTotalBytesReceived += responseString.Length; if (clientTotalBytesReceived == 1 && clientChunks == 0) { clientAuxRecordDetected = true; } // Test is inconclusive if any non-CBC cipher is used: if (client.Stream.CipherAlgorithm == CipherAlgorithmType.None || client.Stream.CipherAlgorithm == CipherAlgorithmType.Null || client.Stream.CipherAlgorithm == CipherAlgorithmType.Rc4) { clientAuxRecordDetectedInconclusive = true; } return(Task.FromResult <string>(null)); }); await Task.WhenAll(tasks).TimeoutAfter(TestConfiguration.PassingTestTimeoutMilliseconds); if (serverAuxRecordDetectedInconclusive || clientAuxRecordDetectedInconclusive) { _output.WriteLine("Test inconclusive: The Operating system preferred a non-CBC or Null cipher."); } else { Assert.True(serverAuxRecordDetected, "Server reports: Client auxiliary record not detected."); Assert.True(clientAuxRecordDetected, "Client reports: Server auxiliary record not detected."); } } }