merge 14.1.1.4 changes

oracle · Apr 28, 2021 · 0551add · 0551add
1 parent 3308b15
commit 0551add
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 198 deletions.
diff --git a/src/Coherence.Core/Net/SslStreamProvider.cs b/src/Coherence.Core/Net/SslStreamProvider.cs
@@ -131,7 +131,9 @@ private static bool CheckRemoteValidationErrors(SslPolicyErrors errors, SslPolic
                 }
                 sException.Append("The certificate was not available.");
             }
-            throw new AuthenticationException(errors.ToString());
+            Console.WriteLine("SSL errors:\n" + sException);
+            return false;
+            //throw new AuthenticationException(errors.ToString());
         }
 
         /// <summary>
@@ -200,6 +202,10 @@ public Stream GetStream(TcpClient client)
                 {
                     LocalCertificateSelector = LocalCertificatePicker;
                 }
+                if (RemoteCertificateValidator == null)
+                {
+                    RemoteCertificateValidator = DefaultCertificateValidation;
+                }
                 SslStream stream = new SslStream(client.GetStream(), false,
                                  RemoteCertificateValidator, LocalCertificateSelector);
                 stream.AuthenticateAsClient(serverName, ClientCertificates, Protocols, false);
@@ -211,7 +217,6 @@ public Stream GetStream(TcpClient client)
                 throw;
             }
         }
-
         #endregion
 
         #region IXmlConfigurable implementation
@@ -293,7 +298,7 @@ public IXmlElement Config
                 // configure the remote certificate validator
                 xmlSub = xml.GetElement("remote-certificate-validator");
                 RemoteCertificateValidator = xmlSub == null
-                        ? DefaultCertificateValidation
+                        ? StrictCertificateValidation  // COH-21950 - use strict validation for remote cert
                         : XmlHelper.CreateDelegate<RemoteCertificateValidationCallback>(xmlSub.GetElement("delegate"));
             }
             get

diff --git a/src/Coherence.Core/Util/Daemon/QueueProcessor/Service/Peer/Initiator/TcpInitiator.cs b/src/Coherence.Core/Util/Daemon/QueueProcessor/Service/Peer/Initiator/TcpInitiator.cs
@@ -597,9 +597,14 @@ protected void ConfigureSocket(TcpClient client)
                 NetworkUtils.SetKeepAlive(client, IsKeepAliveEnabled);
                 NetworkUtils.SetReuseAddress(client, IsLocalAddressReusable);
                 NetworkUtils.SetTcpNoDelay(client, !IsTcpDelayEnabled);
-                NetworkUtils.SetReceiveBufferSize(client,
-                                                  (int) ReceiveBufferSize);
-                NetworkUtils.SetSendBufferSize(client, (int) SendBufferSize);
+                if (ReceiveBufferSize > 0)
+                {
+                    NetworkUtils.SetReceiveBufferSize(client, (int) ReceiveBufferSize);
+                }
+                if (SendBufferSize > 0)
+                {
+                    NetworkUtils.SetSendBufferSize(client, (int) SendBufferSize);
+                }
 
                 long millis = LingerTimeout;
                 int secs = millis >= 0 ? (int) (millis/1000L) : -1; // seconds
@@ -1168,4 +1173,4 @@ protected override void OnWait()
 
         #endregion
     }
-}
+}
diff --git a/tests/Coherence.Core.Tests/Net/Ssl/SslClient.cs b/tests/Coherence.Core.Tests/Net/Ssl/SslClient.cs
@@ -32,6 +32,11 @@ public void AppendCertificate(X509Certificate certificate)
             Certificates.Add(certificate);
         }
 
+        public void ClearCertificate()
+        {
+            Certificates.Clear();
+        }
+
         public void Connect()
         {
             TcpClient.Connect(ServerAddress);

diff --git a/tests/Coherence.Core.Tests/Net/Ssl/SslServer.cs b/tests/Coherence.Core.Tests/Net/Ssl/SslServer.cs
@@ -18,6 +18,7 @@ namespace Tangosol.Net.Ssl
 {
     public sealed class SslServer
     {
+        private EventWaitHandle waitHandle = new AutoResetEvent(false);
         public Thread Thread { get; set; }
 
         public TcpListener Listener { get;  set; }
@@ -36,14 +37,16 @@ public sealed class SslServer
 
         private bool Running { get; set; }
 
+        public IPEndPoint EndPoint => (IPEndPoint) Listener.LocalEndpoint;
+
         public static X509Certificate LoadCertificate(string path)
         {
-            return X509Certificate.CreateFromCertFile(path);
+            return new X509Certificate2(path, "password");
         }
 
-        public SslServer(IPEndPoint localEp)
+        public SslServer()
         {
-            Listener = new TcpListener(IPAddress.Any, localEp.Port); 
+            Listener = new TcpListener(new IPEndPoint(IPAddress.Any, 0));
             ReadTimeout = 5000;
             WriteTimeout = 5000;
             CheckClientCertRevocation = false;
@@ -55,31 +58,29 @@ public void Start()
         {
             Running = true;
             Thread = new Thread(AcceptClients);
-            Thread.Start(); 
+            Thread.Start();
+            waitHandle.WaitOne();
         }
 
         public void Stop()
         {
-            Listener.Stop();
             Running = false;
             Thread.Join();
+            Listener.Stop();
             Console.WriteLine("Stopped SslServer.");
         }
 
         private void AcceptClients()
         {
-            try
+            Listener.Start();
+            waitHandle.Set();
+            while (Running)
             {
-                Listener.Start();
-                while (Running)
+                if (Listener.Pending())
                 {
                     ProcessClient(Listener.AcceptTcpClient());
                 }
             }
-            catch
-            {
-                //nothing
-            }
         }
 
         /// <summary>
@@ -96,21 +97,15 @@ private void AcceptClients()
         public static bool DefaultCertificateValidation(object sender, X509Certificate certificate,
             X509Chain chain, SslPolicyErrors sslPolicyErrors)
         {
-            // Allow RemoteCertificateChainErrors because self signed certificate may not be trusted.
-            if ((sslPolicyErrors & ~(SslPolicyErrors.RemoteCertificateNameMismatch | SslPolicyErrors.RemoteCertificateChainErrors)) == SslPolicyErrors.None) return true;
-
-            StringBuilder sException = new StringBuilder();
-
-            if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable) ==
-                SslPolicyErrors.RemoteCertificateNotAvailable)
+            // Allow RemoteCertificateChainErrors and RemoteCertificateNameMismatch because self signed certificate may not be trusted.
+            sslPolicyErrors &= ~(SslPolicyErrors.RemoteCertificateNameMismatch | SslPolicyErrors.RemoteCertificateChainErrors);
+            if (sslPolicyErrors == SslPolicyErrors.None)
             {
-                if (sException.Length > 0)
-                {
-                    sException.Append("\n");
-                }
-                sException.Append("The certificate was not available.");
+                return true;
             }
-            throw new AuthenticationException(sslPolicyErrors.ToString());
+
+            Console.WriteLine("SSL errors: " + sslPolicyErrors);
+            return false;
         }
 
         private void ProcessClient(TcpClient client)
@@ -121,23 +116,22 @@ private void ProcessClient(TcpClient client)
             var sslStream = AuthenticateClient ? new SslStream(client.GetStream(), false, DefaultCertificateValidation)
                 : new SslStream(client.GetStream(), false);
 
-            // Authenticate the server but don't require the client to authenticate.
+            // Authenticate the server, and optionally the client
             try
             {
-                sslStream.AuthenticateAsServer(ServerCertificate,
-                                               AuthenticateClient, Protocol, CheckClientCertRevocation);
-
+                sslStream.AuthenticateAsServer(ServerCertificate, AuthenticateClient, Protocol, CheckClientCertRevocation);
+
                 // Set timeouts
                 sslStream.ReadTimeout = ReadTimeout;
                 sslStream.WriteTimeout = WriteTimeout;
                 // Read a message from the client.   
                 Console.WriteLine("Waiting for client message...");
-                string messageData = ReadMessage(sslStream);
+                var messageData = ReadMessage(sslStream);
                 Console.WriteLine("Received: {0}", messageData);
 
                 // Write a message to the client.
-                byte[] message =
-                        Encoding.UTF8.GetBytes(messageData);
+                var message =
+                    Encoding.UTF8.GetBytes(messageData);
                 Console.WriteLine("Sending hello message '{0}'.", messageData);
                 sslStream.Write(message);
             }
@@ -147,10 +141,16 @@ private void ProcessClient(TcpClient client)
                 if (e.InnerException != null)
                 {
                     Console.WriteLine("Inner exception: {0}",
-                                      e.InnerException.Message);
+                        e.InnerException.Message);
                 }
+
                 Console.WriteLine(
-                        "Authentication failed - closing the connection.");
+                    "Authentication failed - closing the connection.");
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine("Exception: {0}", e.Message);
+                Console.WriteLine(e.StackTrace);
                 throw;
             }
             finally
@@ -178,7 +178,7 @@ private static string ReadMessage(Stream stream)
 
                 // Use Decoder class to convert from bytes to UTF8
                 // in case a character spans two buffers.
-                Decoder decoder = Encoding.UTF8.GetDecoder();
+                var decoder = Encoding.UTF8.GetDecoder();
                 var chars = new char[decoder.GetCharCount(buffer, 0, bytes)];
                 decoder.GetChars(buffer, 0, bytes, chars, 0);
                 messageData.Append(chars);