THRIFT-3639 C# Thrift library forces TLS 1.0, thwarting TLS 1.2 usage
Client: C#
Patch: Nobuaki Sukegawa
This closes #871
diff --git a/lib/csharp/src/Transport/TTLSServerSocket.cs b/lib/csharp/src/Transport/TTLSServerSocket.cs
index 631a593..99f21ca 100644
--- a/lib/csharp/src/Transport/TTLSServerSocket.cs
+++ b/lib/csharp/src/Transport/TTLSServerSocket.cs
@@ -20,6 +20,7 @@
using System;
using System.Net.Security;
using System.Net.Sockets;
+using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
namespace Thrift.Transport
@@ -65,6 +66,11 @@
private LocalCertificateSelectionCallback localCertificateSelectionCallback;
/// <summary>
+ /// The SslProtocols value that represents the protocol used for authentication.
+ /// </summary>
+ private readonly SslProtocols sslProtocols;
+
+ /// <summary>
/// Initializes a new instance of the <see cref="TTLSServerSocket" /> class.
/// </summary>
/// <param name="port">The port where the server runs.</param>
@@ -94,13 +100,16 @@
/// <param name="certificate">The certificate object.</param>
/// <param name="clientCertValidator">The certificate validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
+ /// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSServerSocket(
int port,
int clientTimeout,
bool useBufferedSockets,
X509Certificate2 certificate,
RemoteCertificateValidationCallback clientCertValidator = null,
- LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
+ LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
+ // TODO: Enable Tls1 and Tls2 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
+ SslProtocols sslProtocols = SslProtocols.Tls)
{
if (!certificate.HasPrivateKey)
{
@@ -112,6 +121,7 @@
this.useBufferedSockets = useBufferedSockets;
this.clientCertValidator = clientCertValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
+ this.sslProtocols = sslProtocols;
try
{
// Create server socket
@@ -168,8 +178,8 @@
this.serverCertificate,
true,
this.clientCertValidator,
- this.localCertificateSelectionCallback
- );
+ this.localCertificateSelectionCallback,
+ this.sslProtocols);
socket.setupTLS();
diff --git a/lib/csharp/src/Transport/TTLSSocket.cs b/lib/csharp/src/Transport/TTLSSocket.cs
index 2be7a41..08f0215 100644
--- a/lib/csharp/src/Transport/TTLSSocket.cs
+++ b/lib/csharp/src/Transport/TTLSSocket.cs
@@ -77,6 +77,11 @@
private LocalCertificateSelectionCallback localCertificateSelectionCallback;
/// <summary>
+ /// The SslProtocols value that represents the protocol used for authentication.SSL protocols to be used.
+ /// </summary>
+ private readonly SslProtocols sslProtocols;
+
+ /// <summary>
/// Initializes a new instance of the <see cref="TTLSSocket"/> class.
/// </summary>
/// <param name="client">An already created TCP-client</param>
@@ -84,17 +89,21 @@
/// <param name="isServer">if set to <c>true</c> [is server].</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
+ /// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
TcpClient client,
X509Certificate certificate,
bool isServer = false,
RemoteCertificateValidationCallback certValidator = null,
- LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
+ LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
+ // TODO: Enable Tls11 and Tls12 (TLS 1.1 and 1.2) by default once we start using .NET 4.5+.
+ SslProtocols sslProtocols = SslProtocols.Tls)
{
this.client = client;
this.certificate = certificate;
this.certValidator = certValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
+ this.sslProtocols = sslProtocols;
this.isServer = isServer;
if (isServer && certificate == null)
{
@@ -116,13 +125,15 @@
/// <param name="certificatePath">The certificate path.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
+ /// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
string certificatePath,
RemoteCertificateValidationCallback certValidator = null,
- LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
- : this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback)
+ LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
+ SslProtocols sslProtocols = SslProtocols.Tls)
+ : this(host, port, 0, X509Certificate.CreateFromCertFile(certificatePath), certValidator, localCertificateSelectionCallback, sslProtocols)
{
}
@@ -134,13 +145,15 @@
/// <param name="certificate">The certificate.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
+ /// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
X509Certificate certificate = null,
RemoteCertificateValidationCallback certValidator = null,
- LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
- : this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback)
+ LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
+ SslProtocols sslProtocols = SslProtocols.Tls)
+ : this(host, port, 0, certificate, certValidator, localCertificateSelectionCallback, sslProtocols)
{
}
@@ -153,13 +166,15 @@
/// <param name="certificate">The certificate.</param>
/// <param name="certValidator">User defined cert validator.</param>
/// <param name="localCertificateSelectionCallback">The callback to select which certificate to use.</param>
+ /// <param name="sslProtocols">The SslProtocols value that represents the protocol used for authentication.</param>
public TTLSSocket(
string host,
int port,
int timeout,
X509Certificate certificate,
RemoteCertificateValidationCallback certValidator = null,
- LocalCertificateSelectionCallback localCertificateSelectionCallback = null)
+ LocalCertificateSelectionCallback localCertificateSelectionCallback = null,
+ SslProtocols sslProtocols = SslProtocols.Tls)
{
this.host = host;
this.port = port;
@@ -167,6 +182,7 @@
this.certificate = certificate;
this.certValidator = certValidator;
this.localCertificateSelectionCallback = localCertificateSelectionCallback;
+ this.sslProtocols = sslProtocols;
InitSocket();
}
@@ -314,13 +330,13 @@
if (isServer)
{
// Server authentication
- this.secureStream.AuthenticateAsServer(this.certificate, this.certValidator != null, SslProtocols.Tls, true);
+ this.secureStream.AuthenticateAsServer(this.certificate, this.certValidator != null, sslProtocols, true);
}
else
{
// Client authentication
X509CertificateCollection certs = certificate != null ? new X509CertificateCollection { certificate } : new X509CertificateCollection();
- this.secureStream.AuthenticateAsClient(host, certs, SslProtocols.Tls, true);
+ this.secureStream.AuthenticateAsClient(host, certs, sslProtocols, true);
}
}
catch (Exception)
diff --git a/lib/csharp/test/ThriftTest/TestClient.cs b/lib/csharp/test/ThriftTest/TestClient.cs
index 4c42ef7..cb73597 100644
--- a/lib/csharp/test/ThriftTest/TestClient.cs
+++ b/lib/csharp/test/ThriftTest/TestClient.cs
@@ -27,6 +27,7 @@
using Thrift.Protocol;
using Thrift.Transport;
using Thrift.Test;
+using System.Security.Authentication;
namespace Test
{
@@ -60,7 +61,7 @@
{
string certPath = "../../../../test/keys/client.p12";
X509Certificate cert = new X509Certificate2(certPath, "thrift");
- trans = new TTLSSocket(host, port, cert, (o, c, chain, errors) => true);
+ trans = new TTLSSocket(host, port, 0, cert, (o, c, chain, errors) => true, null, SslProtocols.Tls);
}
else
{
diff --git a/lib/csharp/test/ThriftTest/TestServer.cs b/lib/csharp/test/ThriftTest/TestServer.cs
index 4c8fc3b..e51ae92 100644
--- a/lib/csharp/test/ThriftTest/TestServer.cs
+++ b/lib/csharp/test/ThriftTest/TestServer.cs
@@ -32,6 +32,7 @@
using Thrift;
using System.Threading;
using System.Text;
+using System.Security.Authentication;
namespace Test
{
@@ -468,7 +469,7 @@
if (useEncryption)
{
string certPath = "../../../../test/keys/server.p12";
- trans = new TTLSServerSocket(port, 0, useBufferedSockets, new X509Certificate2(certPath, "thrift"));
+ trans = new TTLSServerSocket(port, 0, useBufferedSockets, new X509Certificate2(certPath, "thrift"), null, null, SslProtocols.Tls);
}
else
{