public override async ValueTask InitializeAsync(CancellationToken cancel) { await _underlying.InitializeAsync(cancel).ConfigureAwait(false); // This can only be created with a connected socket. _sslStream = new SslStream(new NetworkStream(_underlying.Socket !, false), false); try { if (_incoming) { var options = new SslServerAuthenticationOptions(); options.ServerCertificate = _engine.TlsServerOptions.ServerCertificate; options.ClientCertificateRequired = _engine.TlsServerOptions.RequireClientCertificate; options.EnabledSslProtocols = _engine.TlsServerOptions.EnabledSslProtocols !.Value; options.RemoteCertificateValidationCallback = _engine.TlsServerOptions.ClientCertificateValidationCallback ?? RemoteCertificateValidationCallback; options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck; await _sslStream.AuthenticateAsServerAsync(options, cancel).ConfigureAwait(false); } else { var options = new SslClientAuthenticationOptions(); options.TargetHost = _host; options.ClientCertificates = _engine.TlsClientOptions.ClientCertificates; options.EnabledSslProtocols = _engine.TlsClientOptions.EnabledSslProtocols !.Value; options.RemoteCertificateValidationCallback = _engine.TlsClientOptions.ServerCertificateValidationCallback ?? RemoteCertificateValidationCallback; options.LocalCertificateSelectionCallback = _engine.TlsClientOptions.ClientCertificateSelectionCallback ?? (options.ClientCertificates?.Count > 0 ? CertificateSelectionCallback : (LocalCertificateSelectionCallback?)null); options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck; await _sslStream.AuthenticateAsClientAsync(options, cancel).ConfigureAwait(false); } } catch (IOException ex) when(ex.IsConnectionLost()) { throw new ConnectionLostException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero)); } catch (IOException ex) { throw new TransportException(ex, RetryPolicy.AfterDelay(TimeSpan.Zero)); } catch (AuthenticationException ex) { throw new TransportException(ex, RetryPolicy.OtherReplica); } if (_engine.SecurityTraceLevel >= 1) { _engine.TraceStream(_sslStream, ToString()); } // Use a buffered stream for writes. This ensures that small requests which are composed of multiple // small buffers will be sent within a single SSL frame. _writeStream = new BufferedStream(_sslStream); }
public async ValueTask InitializeAsync(CancellationToken cancel) { await _underlying.InitializeAsync(cancel).ConfigureAwait(false); SslStream = new SslStream(new NetworkStream(_underlying.Socket !, false), false); try { if (_incoming) { var options = new SslServerAuthenticationOptions(); options.ServerCertificate = _engine.TlsServerOptions.ServerCertificate; options.ClientCertificateRequired = _engine.TlsServerOptions.RequireClientCertificate; options.EnabledSslProtocols = _engine.TlsServerOptions.EnabledSslProtocols !.Value; options.RemoteCertificateValidationCallback = _engine.TlsServerOptions.ClientCertificateValidationCallback ?? RemoteCertificateValidationCallback; options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck; await SslStream.AuthenticateAsServerAsync(options, cancel).ConfigureAwait(false); } else { var options = new SslClientAuthenticationOptions(); options.TargetHost = _host; options.ClientCertificates = _engine.TlsClientOptions.ClientCertificates; options.EnabledSslProtocols = _engine.TlsClientOptions.EnabledSslProtocols !.Value; options.RemoteCertificateValidationCallback = _engine.TlsClientOptions.ServerCertificateValidationCallback ?? RemoteCertificateValidationCallback; options.LocalCertificateSelectionCallback = _engine.TlsClientOptions.ClientCertificateSelectionCallback ?? (options.ClientCertificates?.Count > 0 ? CertificateSelectionCallback : (LocalCertificateSelectionCallback?)null); options.CertificateRevocationCheckMode = X509RevocationMode.NoCheck; await SslStream.AuthenticateAsClientAsync(options, cancel).ConfigureAwait(false); } } catch (IOException ex) when(ex.IsConnectionLost()) { throw new ConnectionLostException(ex); } catch (IOException ex) { throw new TransportException(ex); } catch (AuthenticationException ex) { throw new TransportException(ex); } string description = ToString(); if (!_engine.SslTrustManager.Verify(_incoming, SslStream.RemoteCertificate as X509Certificate2, _adapterName ?? "", description)) { var s = new StringBuilder(); s.Append(_incoming ? "incoming " : "outgoing"); s.Append("connection rejected by trust manager\n"); s.Append(description); if (_engine.SecurityTraceLevel >= 1) { _communicator.Logger.Trace(_engine.SecurityTraceCategory, s.ToString()); } throw new TransportException(s.ToString()); } if (_engine.SecurityTraceLevel >= 1) { _engine.TraceStream(SslStream, description); } // Use a buffered stream for writes. This ensures that small requests which are composed of multiple // small buffers will be sent within a single SSL frame. _writeStream = new BufferedStream(SslStream); }
public int Initialize(ref ArraySegment <byte> readBuffer, IList <ArraySegment <byte> > writeBuffer) { if (!_isConnected) { int status = _delegate.Initialize(ref readBuffer, writeBuffer); if (status != SocketOperation.None) { return(status); } _isConnected = true; } Socket?fd = _delegate.Fd(); Debug.Assert(fd != null); Network.SetBlock(fd, true); // SSL requires a blocking socket // // For timeouts to work properly, we need to receive/send // the data in several chunks. Otherwise, we would only be // notified when all the data is received/written. The // connection timeout could easily be triggered when // receiving/sending large frames. // _maxSendPacketSize = Math.Max(512, Network.GetSendBufferSize(fd)); _maxRecvPacketSize = Math.Max(512, Network.GetRecvBufferSize(fd)); if (SslStream == null) { try { SslStream = new SslStream( new NetworkStream(fd, false), false, _engine.RemoteCertificateValidationCallback ?? RemoteCertificateValidationCallback, _engine.CertificateSelectionCallback ?? CertificateSelectionCallback); } catch (IOException ex) { if (Network.ConnectionLost(ex)) { throw new ConnectionLostException(ex); } else { throw new TransportException(ex); } } return(SocketOperation.Connect); } Debug.Assert(SslStream.IsAuthenticated); _authenticated = true; string description = ToString(); if (!_engine.TrustManager.Verify(_incoming, SslStream.RemoteCertificate as X509Certificate2, _adapterName ?? "", description)) { string msg = string.Format("{0} connection rejected by trust manager\n{1}", _incoming ? "incoming" : "outgoing", description); if (_engine.SecurityTraceLevel >= 1) { _communicator.Logger.Trace(_engine.SecurityTraceCategory, msg); } throw new TransportException(msg); } if (_engine.SecurityTraceLevel >= 1) { _engine.TraceStream(SslStream, ToString()); } return(SocketOperation.None); }