You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ignite.apache.org by pt...@apache.org on 2021/11/16 10:14:35 UTC
[ignite] branch ignite-15915 created (now 25a797d)
This is an automated email from the ASF dual-hosted git repository.
ptupitsyn pushed a change to branch ignite-15915
in repository https://gitbox.apache.org/repos/asf/ignite.git.
at 25a797d Cleanup
This branch includes the following new commits:
new f1826fa IGNITE-15915 .NET: Allow null SslStreamFactory.CertificatePath
new 25a797d Cleanup
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[ignite] 01/02: IGNITE-15915 .NET: Allow null SslStreamFactory.CertificatePath
Posted by pt...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ptupitsyn pushed a commit to branch ignite-15915
in repository https://gitbox.apache.org/repos/asf/ignite.git
commit f1826fa2f347691a2350e7c7a67d48d2bf12c4b4
Author: Pavel Tupitsyn <pt...@apache.org>
AuthorDate: Tue Nov 16 13:12:08 2021 +0300
IGNITE-15915 .NET: Allow null SslStreamFactory.CertificatePath
Allow thin client to establish SSL connection without client-side certificate when `ClientConnectorConfiguration.sslClientAuth` is `false` on server.
---
.../Apache.Ignite.Core.Tests.DotNetCore.csproj | 3 +
.../Client/ClientConnectionTest.cs | 65 +++++++++++++++++++
.../Client/RawSecureSocketTest.cs | 74 ++++++++++++++++------
...-ssl.xml => server-with-ssl-no-client-auth.xml} | 29 ++++-----
.../Config/Client/server-with-ssl.xml | 2 +-
.../Apache.Ignite.Core/Client/SslStreamFactory.cs | 9 ++-
6 files changed, 145 insertions(+), 37 deletions(-)
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Apache.Ignite.Core.Tests.DotNetCore.csproj b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Apache.Ignite.Core.Tests.DotNetCore.csproj
index bcdedc2..a1dd4f1 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Apache.Ignite.Core.Tests.DotNetCore.csproj
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Apache.Ignite.Core.Tests.DotNetCore.csproj
@@ -107,6 +107,9 @@
<None Update="Examples\ExpectedOutput\**">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</None>
+ <None Update="Config\Client\server-with-ssl-no-client-auth.xml">
+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+ </None>
</ItemGroup>
<ItemGroup>
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/ClientConnectionTest.cs b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/ClientConnectionTest.cs
index 457d261..9bdfdeb 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/ClientConnectionTest.cs
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/ClientConnectionTest.cs
@@ -22,6 +22,7 @@ namespace Apache.Ignite.Core.Tests.Client
using System.Linq;
using System.Net;
using System.Net.Sockets;
+ using System.Security.Authentication;
using System.Text.RegularExpressions;
using System.Threading;
using System.Threading.Tasks;
@@ -666,6 +667,70 @@ namespace Apache.Ignite.Core.Tests.Client
}
/// <summary>
+ /// Tests SSL connection with client-side SSL certificate.
+ /// </summary>
+ [Test]
+ public void TestSslConnectionWithClientAuth()
+ {
+ Ignition.Start(new IgniteConfiguration(TestUtils.GetTestConfiguration())
+ {
+ SpringConfigUrl = Path.Combine("Config", "Client", "server-with-ssl.xml")
+ });
+
+ var cfg = new IgniteClientConfiguration
+ {
+ Endpoints = new[] { "127.0.0.1:11110" },
+ SslStreamFactory = new SslStreamFactory
+ {
+ CertificatePath = Path.Combine("Config", "Client", "thin-client-cert.pfx"),
+ CertificatePassword = "123456",
+ SkipServerCertificateValidation = true,
+ CheckCertificateRevocation = true,
+#if !NETCOREAPP
+ SslProtocols = SslProtocols.Tls
+#else
+ SslProtocols = SslProtocols.Tls12
+#endif
+ }
+ };
+
+ using (var client = Ignition.StartClient(cfg))
+ {
+ Assert.AreEqual(1, client.GetCluster().GetNodes().Count);
+ }
+
+ // Does not connect without client certificate.
+ cfg.SslStreamFactory = new SslStreamFactory { SkipServerCertificateValidation = true };
+ Assert.Catch<Exception>(() => Ignition.StartClient(cfg));
+ }
+
+ /// <summary>
+ /// Tests SSL connection without client-side SSL certificate.
+ /// </summary>
+ [Test]
+ public void TestSslConnectionWithoutClientAuth()
+ {
+ Ignition.Start(new IgniteConfiguration(TestUtils.GetTestConfiguration())
+ {
+ SpringConfigUrl = Path.Combine("Config", "Client", "server-with-ssl-no-client-auth.xml"),
+ });
+
+ var cfg = new IgniteClientConfiguration
+ {
+ Endpoints = new[] { "127.0.0.1:11120" },
+ SslStreamFactory = new SslStreamFactory
+ {
+ SkipServerCertificateValidation = true
+ }
+ };
+
+ using (var client = Ignition.StartClient(cfg))
+ {
+ Assert.AreEqual(1, client.GetCluster().GetNodes().Count);
+ }
+ }
+
+ /// <summary>
/// Starts the client.
/// </summary>
private static IIgniteClient StartClient()
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
index 799c6c6..80bc633 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
@@ -31,35 +31,70 @@ namespace Apache.Ignite.Core.Tests.Client
/// </summary>
public class RawSecureSocketTest
{
+ [TestFixtureSetUp]
+ public void FixtureSetUp()
+ {
+ var cfg = new IgniteConfiguration(TestUtils.GetTestConfiguration())
+ {
+ SpringConfigUrl = Path.Combine("Config", "Client", "server-with-ssl.xml")
+ };
+
+ Ignition.Start(cfg);
+
+ var cfgNoClientAuth = new IgniteConfiguration(TestUtils.GetTestConfiguration())
+ {
+ SpringConfigUrl = Path.Combine("Config", "Client", "server-with-ssl-no-client-auth.xml"),
+ AutoGenerateIgniteInstanceName = true
+ };
+
+ Ignition.Start(cfgNoClientAuth);
+ }
+
+ [TestFixtureTearDown]
+ public void FixtureTearDown()
+ {
+ Ignition.StopAll(true);
+ }
+
/// <summary>
/// Tests that we can do handshake over SSL without using Ignite.NET APIs.
/// </summary>
[Test]
- public void TestHandshake()
+ public void TestHandshake([Values(true, false)] bool clientCert)
{
- var igniteConfiguration = new IgniteConfiguration(TestUtils.GetTestConfiguration())
- {
- SpringConfigUrl = Path.Combine("Config", "Client", "server-with-ssl.xml")
- };
+ const string host = "127.0.0.1";
+ var port = clientCert ? 11110 : 11120;
- using (Ignition.Start(igniteConfiguration))
+ using (var client = new TcpClient(host, port))
+ using (var sslStream = new SslStream(client.GetStream(), false, ValidateServerCertificate, null))
{
- const string host = "127.0.0.1";
- const int port = 11110;
+ var certsCollection = new X509CertificateCollection(new X509Certificate[] { LoadCertificateFile() });
- using (var client = new TcpClient(host, port))
- using (var sslStream = new SslStream(client.GetStream(), false, ValidateServerCertificate, null))
+#if !NETCOREAPP
+ if (clientCert)
+ {
+ sslStream.AuthenticateAsClient(host, certsCollection, SslProtocols.Tls, false);
+ }
+ else
+ {
+ sslStream.AuthenticateAsClient(host);
+ }
+#else
+ if (clientCert)
{
- var certsCollection = new X509CertificateCollection(new X509Certificate[] {LoadCertificateFile()});
-
sslStream.AuthenticateAsClient(host, certsCollection, SslProtocols.Tls12, false);
+ }
+ else
+ {
+ sslStream.AuthenticateAsClient(host);
+ }
+#endif
- Assert.IsTrue(sslStream.IsAuthenticated);
- Assert.IsTrue(sslStream.IsMutuallyAuthenticated);
- Assert.IsTrue(sslStream.IsEncrypted);
+ Assert.IsTrue(sslStream.IsAuthenticated);
+ Assert.AreEqual(clientCert, sslStream.IsMutuallyAuthenticated);
+ Assert.IsTrue(sslStream.IsEncrypted);
- DoHandshake(sslStream);
- }
+ DoHandshake(sslStream);
}
}
@@ -123,7 +158,9 @@ namespace Apache.Ignite.Core.Tests.Client
private static byte[] ReceiveMessage(Stream sock)
{
var buf = new byte[4];
- sock.Read(buf, 0, 4);
+ var read = sock.Read(buf, 0, 4);
+
+ Assert.AreEqual(4, read);
using (var stream = new BinaryHeapStream(buf))
{
@@ -150,6 +187,5 @@ namespace Apache.Ignite.Core.Tests.Client
sock.Write(stream.GetArray(), 0, stream.Position);
}
}
-
}
}
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl-no-client-auth.xml
similarity index 72%
copy from modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml
copy to modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl-no-client-auth.xml
index 7ef8e17..e8d5cca 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl-no-client-auth.xml
@@ -1,20 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
+ Copyright 2019 GridGain Systems, Inc. and Contributors.
- http://www.apache.org/licenses/LICENSE-2.0
+ Licensed under the GridGain Community Edition License (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+ https://www.gridgain.com/products/software/community-edition/gridgain-community-edition-license
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
@@ -31,11 +30,11 @@
<property name="clientConnectorConfiguration">
<bean class="org.apache.ignite.configuration.ClientConnectorConfiguration">
<property name="host" value="127.0.0.1"/>
- <property name="port" value="11110"/>
+ <property name="port" value="11120"/>
<property name="portRange" value="10"/>
<property name="sslEnabled" value="true"/>
<property name="useIgniteSslContextFactory" value="false"/>
- <property name="sslClientAuth" value="true"/>
+ <property name="sslClientAuth" value="false"/>
<property name="sslContextFactory">
<bean class="org.apache.ignite.ssl.SslContextFactory">
@@ -64,4 +63,4 @@
</bean>
</property>
</bean>
-</beans>
\ No newline at end of file
+</beans>
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml
index 7ef8e17..821031f 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Config/Client/server-with-ssl.xml
@@ -64,4 +64,4 @@
</bean>
</property>
</bean>
-</beans>
\ No newline at end of file
+</beans>
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs b/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs
index 3961b09..f7a656c 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs
+++ b/modules/platforms/dotnet/Apache.Ignite.Core/Client/SslStreamFactory.cs
@@ -49,8 +49,13 @@ namespace Apache.Ignite.Core.Client
var sslStream = new SslStream(stream, false, ValidateServerCertificate, null);
- var cert = new X509Certificate2(CertificatePath, CertificatePassword);
- var certs = new X509CertificateCollection(new X509Certificate[] { cert });
+ var cert = string.IsNullOrEmpty(CertificatePath)
+ ? null
+ : new X509Certificate2(CertificatePath, CertificatePassword);
+
+ var certs = cert == null
+ ? null
+ : new X509CertificateCollection(new X509Certificate[] { cert });
sslStream.AuthenticateAsClient(targetHost, certs, SslProtocols, CheckCertificateRevocation);
[ignite] 02/02: Cleanup
Posted by pt...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ptupitsyn pushed a commit to branch ignite-15915
in repository https://gitbox.apache.org/repos/asf/ignite.git
commit 25a797d89230cf57465fc8e4df83c0f77482f8fc
Author: Pavel Tupitsyn <pt...@apache.org>
AuthorDate: Tue Nov 16 13:14:07 2021 +0300
Cleanup
---
.../Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
index 80bc633..69b6f38 100644
--- a/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
+++ b/modules/platforms/dotnet/Apache.Ignite.Core.Tests/Client/RawSecureSocketTest.cs
@@ -70,16 +70,6 @@ namespace Apache.Ignite.Core.Tests.Client
{
var certsCollection = new X509CertificateCollection(new X509Certificate[] { LoadCertificateFile() });
-#if !NETCOREAPP
- if (clientCert)
- {
- sslStream.AuthenticateAsClient(host, certsCollection, SslProtocols.Tls, false);
- }
- else
- {
- sslStream.AuthenticateAsClient(host);
- }
-#else
if (clientCert)
{
sslStream.AuthenticateAsClient(host, certsCollection, SslProtocols.Tls12, false);
@@ -88,7 +78,6 @@ namespace Apache.Ignite.Core.Tests.Client
{
sslStream.AuthenticateAsClient(host);
}
-#endif
Assert.IsTrue(sslStream.IsAuthenticated);
Assert.AreEqual(clientCert, sslStream.IsMutuallyAuthenticated);