mirror of
https://github.com/valitydev/thrift.git
synced 2024-11-07 02:45:22 +00:00
THRIFT-3639 C# Thrift library forces TLS 1.0, thwarting TLS 1.2 usage
Client: C# Patch: Nobuaki Sukegawa This closes #871
This commit is contained in:
Nobuaki Sukegawa
parent
e1e09c7967
commit
474ddbd06d
@ -20,6 +20,7 @@
|
||||
using System;
|
||||
using System.Net.Security;
|
||||
using System.Net.Sockets;
|
||||
using System.Security.Authentication;
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
|
||||
namespace Thrift.Transport
|
||||
@ -64,6 +65,11 @@ namespace Thrift.Transport
|
||||
/// </summary>
|
||||
private LocalCertificateSelectionCallback localCertificateSelectionCallback;
|
||||
|
||||
/// <summary>
|
||||
/// The SslProtocols value that represents the protocol used for authentication.
|
||||
/// </summary>
|
||||
private readonly SslProtocols sslProtocols;
|
||||
|
||||
/// <summary>
|
||||
/// Initializes a new instance of the <see cref="TTLSServerSocket" /> class.
|
||||
/// </summary>
|
||||
@ -94,13 +100,16 @@ namespace Thrift.Transport
|
||||
/// <param name="certificate">The certificate object.</param>
|
||||
/// <param name="clientCertValidator">The certificate validator.</param>
|
||||
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
|
||||
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
|
||||
public TTLSServerSocket(
|
||||
int port,
|
||||
int clientTimeout,
|
||||
bool useBufferedSockets,
|
||||
X509Certificate2 certificate,
|
||||
RemoteCertificateValidationCallback clientCertValidator = null,
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
|
||||
// TODO: Enable Tls1 and Tls2 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
|
||||
SslProtocols sslProtocols = SslProtocols.Tls)
|
||||
{
|
||||
if (!certificate.HasPrivateKey)
|
||||
{
|
||||
@ -112,6 +121,7 @@ namespace Thrift.Transport
|
||||
this.useBufferedSockets = useBufferedSockets;
|
||||
this.clientCertValidator = clientCertValidator;
|
||||
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
|
||||
this.sslProtocols = sslProtocols;
|
||||
try
|
||||
{
|
||||
// Create server socket
|
||||
@ -168,8 +178,8 @@ namespace Thrift.Transport
|
||||
this.serverCertificate,
|
||||
true,
|
||||
this.clientCertValidator,
|
||||
this.localCertificateSelectionCallback
|
||||
);
|
||||
this.localCertificateSelectionCallback,
|
||||
this.sslProtocols);
|
||||
|
||||
socket.setupTLS();
|
||||
|
||||
|
||||
@ -76,6 +76,11 @@ namespace Thrift.Transport
|
||||
/// </summary>
|
||||
private LocalCertificateSelectionCallback localCertificateSelectionCallback;
|
||||
|
||||
/// <summary>
|
||||
/// The SslProtocols value that represents the protocol used for authentication.SSL protocols to be used.
|
||||
/// </summary>
|
||||
private readonly SslProtocols sslProtocols;
|
||||
|
||||
/// <summary>
|
||||
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
|
||||
/// </summary>
|
||||
@ -84,17 +89,21 @@ namespace Thrift.Transport
|
||||
/// <param name="isServer">if set to <c>true</c> [is server].</param>
|
||||
/// <param name="certValidator">User defined cert validator.</param>
|
||||
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
|
||||
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
|
||||
public TTLSSocket(
|
||||
TcpClient client,
|
||||
X509Certificate certificate,
|
||||
bool isServer = false,
|
||||
RemoteCertificateValidationCallback certValidator = null,
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
|
||||
// TODO: Enable Tls11 and Tls12 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
|
||||
SslProtocols sslProtocols = SslProtocols.Tls)
|
||||
{
|
||||
this.client = client;
|
||||
this.certificate = certificate;
|
||||
this.certValidator = certValidator;
|
||||
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
|
||||
this.sslProtocols = sslProtocols;
|
||||
this.isServer = isServer;
|
||||
if (isServer && certificate == null)
|
||||
{
|
||||
@ -116,13 +125,15 @@ namespace Thrift.Transport
|
||||
/// <param name="certificatePath">The certificate path.</param>
|
||||
/// <param name="certValidator">User defined cert validator.</param>
|
||||
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
|
||||
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
|
||||
public TTLSSocket(
|
||||
string host,
|
||||
int port,
|
||||
string certificatePath,
|
||||
RemoteCertificateValidationCallback certValidator = null,
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
|
||||
: this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback)
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
|
||||
SslProtocols sslProtocols = SslProtocols.Tls)
|
||||
: this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback, sslProtocols)
|
||||
{
|
||||
}
|
||||
|
||||
@ -134,13 +145,15 @@ namespace Thrift.Transport
|
||||
/// <param name="certificate">The certificate.</param>
|
||||
/// <param name="certValidator">User defined cert validator.</param>
|
||||
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
|
||||
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
|
||||
public TTLSSocket(
|
||||
string host,
|
||||
int port,
|
||||
X509Certificate certificate = null,
|
||||
RemoteCertificateValidationCallback certValidator = null,
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
|
||||
: this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback)
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
|
||||
SslProtocols sslProtocols = SslProtocols.Tls)
|
||||
: this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback, sslProtocols)
|
||||
{
|
||||
}
|
||||
|
||||
@ -153,13 +166,15 @@ namespace Thrift.Transport
|
||||
/// <param name="certificate">The certificate.</param>
|
||||
/// <param name="certValidator">User defined cert validator.</param>
|
||||
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
|
||||
/// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
|
||||
public TTLSSocket(
|
||||
string host,
|
||||
int port,
|
||||
int timeout,
|
||||
X509Certificate certificate,
|
||||
RemoteCertificateValidationCallback certValidator = null,
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
|
||||
LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
|
||||
SslProtocols sslProtocols = SslProtocols.Tls)
|
||||
{
|
||||
this.host = host;
|
||||
this.port = port;
|
||||
@ -167,6 +182,7 @@ namespace Thrift.Transport
|
||||
this.certificate = certificate;
|
||||
this.certValidator = certValidator;
|
||||
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
|
||||
this.sslProtocols = sslProtocols;
|
||||
|
||||
InitSocket();
|
||||
}
|
||||
@ -314,13 +330,13 @@ namespace Thrift.Transport
|
||||
if (isServer)
|
||||
{
|
||||
// Server authentication
|
||||
this.secureStream.AuthenticateAsServer(this.certificate, this.certValidator != null, SslProtocols.Tls, true);
|
||||
this.secureStream.AuthenticateAsServer(this.certificate, this.certValidator != null, sslProtocols, true);
|
||||
}
|
||||
else
|
||||
{
|
||||
// Client authentication
|
||||
X509CertificateCollection certs = certificate != null ? new X509CertificateCollection { certificate } : new X509CertificateCollection();
|
||||
this.secureStream.AuthenticateAsClient(host, certs, SslProtocols.Tls, true);
|
||||
this.secureStream.AuthenticateAsClient(host, certs, sslProtocols, true);
|
||||
}
|
||||
}
|
||||
catch (Exception)
|
||||
|
||||
@ -27,6 +27,7 @@ using Thrift.Collections;
|
||||
using Thrift.Protocol;
|
||||
using Thrift.Transport;
|
||||
using Thrift.Test;
|
||||
using System.Security.Authentication;
|
||||
|
||||
namespace Test
|
||||
{
|
||||
@ -60,7 +61,7 @@ namespace Test
|
||||
{
|
||||
string certPath = "../../../../test/keys/client.p12";
|
||||
X509Certificate cert = new X509Certificate2(certPath, "thrift");
|
||||
trans = new TTLSSocket(host, port, cert, (o, c, chain, errors) => true);
|
||||
trans = new TTLSSocket(host, port, 0, cert, (o, c, chain, errors) => true, null, SslProtocols.Tls);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -32,6 +32,7 @@ using Thrift.Server;
|
||||
using Thrift;
|
||||
using System.Threading;
|
||||
using System.Text;
|
||||
using System.Security.Authentication;
|
||||
|
||||
namespace Test
|
||||
{
|
||||
@ -468,7 +469,7 @@ namespace Test
|
||||
if (useEncryption)
|
||||
{
|
||||
string certPath = "../../../../test/keys/server.p12";
|
||||
trans = new TTLSServerSocket(port, 0, useBufferedSockets, new X509Certificate2(certPath, "thrift"));
|
||||
trans = new TTLSServerSocket(port, 0, useBufferedSockets, new X509Certificate2(certPath, "thrift"), null, null, SslProtocols.Tls);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user