allow applications to decide which SslPolicyErrors to ignore

...and thus being able to connect over ssl w/o validating the server
cert, and/or w/o performing the host==cn check

Author: Matthias Radestock

projects/client/RabbitMQ.Client/src/client/api/SslHelper.cs

@@ -71,30 +71,46 @@ namespace RabbitMQ.Client
     public class SslHelper
     {
 
-        static X509Certificate CertificateSelectionCallback(object sender,
-                string targetHost,
-                X509CertificateCollection localCertificates,
-                X509Certificate remoteCertificate,
-                string[] acceptableIssuers)
+        private SslOption m_sslOption;
+
+        private X509Certificate CertificateSelectionCallback(object sender,
+                                                             string targetHost,
+                                                             X509CertificateCollection localCertificates,
+                                                             X509Certificate remoteCertificate,
+                                                             string[] acceptableIssuers)
         {
             return localCertificates[0];
         }
 
+        private bool CertificateValidationCallback(object sender,
+                                                   X509Certificate certificate,
+                                                   X509Chain chain,
+                                                   SslPolicyErrors sslPolicyErrors)
+        {
+            return (sslPolicyErrors & ~m_sslOption.AcceptablePolicyErrors) == SslPolicyErrors.None;
+        }
+
         ///<summary>Upgrade a Tcp stream to an Ssl stream using the SSL options
         ///provided</summary>
         public static Stream TcpUpgrade(Stream tcpStream, SslOption sslOption)
         {
+            SslHelper helper = new SslHelper(sslOption);
             SslStream sslStream = new SslStream(tcpStream, false,
-                    null,
-                    new LocalCertificateSelectionCallback(CertificateSelectionCallback));
+                                                new RemoteCertificateValidationCallback(helper.CertificateValidationCallback),
+                                                new LocalCertificateSelectionCallback(helper.CertificateSelectionCallback));
 
             sslStream.AuthenticateAsClient(sslOption.ServerName,
-                        sslOption.Certs,
-                        sslOption.Version,
-                        false);
+                                           sslOption.Certs,
+                                           sslOption.Version,
+                                           false);
 
             return sslStream;
         }
 
+        private SslHelper(SslOption sslOption)
+        {
+            m_sslOption = sslOption;
+        }
+
     }
 }

projects/client/RabbitMQ.Client/src/client/api/SslOption.cs

@@ -56,6 +56,7 @@
 //---------------------------------------------------------------------------
 using System;
 using System.Collections;
+using System.Net.Security;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using RabbitMQ.Client.Impl;
@@ -134,6 +135,15 @@ public string ServerName
             set { m_serverName = value; }
         }
 
+        private SslPolicyErrors m_acceptablePolicyErrors = SslPolicyErrors.None;
+
+        ///<summary>Retrieve or set the set of ssl policy errors that
+        ///are deemed acceptable</summary>
+        public SslPolicyErrors AcceptablePolicyErrors
+        {
+            get { return m_acceptablePolicyErrors; }
+            set { m_acceptablePolicyErrors = value; }
+        }
 
 
         ///<summary>Construct an SslOption specifying both the server cannonical name

projects/client/Unit/src/unit/TestSslEndpointUnverified.cs renamed to projects/client/Unit/src/unit/TestSsl.cs

@@ -56,51 +56,70 @@
 //---------------------------------------------------------------------------
 using NUnit.Framework;
 using System;
+using System.Net.Security;
 using RabbitMQ.Client;
 
 [TestFixture]
-public class TestSslEndpointUnverified {
+public class TestSsl {
 
-    public void SendReceive(IConnection conn) {
-        string message = "Hello C# SSL Client World";
+    public void SendReceive(ConnectionFactory cf) {
+        IProtocol proto = Protocols.DefaultProtocol;
+        using (IConnection conn = cf.CreateConnection(proto, "localhost", 5671)) {
+            IModel ch = conn.CreateModel();
+        
+            ch.ExchangeDeclare("Exchange_TestSslEndPoint", ExchangeType.Direct);
+            ch.QueueDeclare("Queue_TestSslEndpoint");
+            ch.QueueBind("Queue_TestSslEndpoint", "Exchange_TestSslEndPoint", "Key_TestSslEndpoint", false, null);
+        
+            string message = "Hello C# SSL Client World";
+            byte[] msgBytes =  System.Text.Encoding.UTF8.GetBytes(message);
+            ch.BasicPublish("Exchange_TestSslEndPoint", "Key_TestSslEndpoint", null, msgBytes);
 
-        IModel ch = conn.CreateModel();
+            bool noAck = false;
+            BasicGetResult result = ch.BasicGet("Queue_TestSslEndpoint", noAck);
+            byte[] body = result.Body;
+            string resultMessage = System.Text.Encoding.UTF8.GetString(body);
 
-        ch.ExchangeDeclare("Exchange_TestSslEndPoint", ExchangeType.Direct);
-        ch.QueueDeclare("Queue_TestSslEndpoint");
-        ch.QueueBind("Queue_TestSslEndpoint", "Exchange_TestSslEndPoint", "Key_TestSslEndpoint", false, null);
-
-        byte[] msgBytes =  System.Text.Encoding.UTF8.GetBytes(message);
-        ch.BasicPublish("Exchange_TestSslEndPoint", "Key_TestSslEndpoint", null, msgBytes);
-
-        bool noAck = false;
+            Assert.AreEqual(message, resultMessage);
+        }
+    }
 
-        BasicGetResult result = ch.BasicGet("Queue_TestSslEndpoint", noAck);
-        byte[] body = result.Body;
+    [Test]
+    public void TestServerVerifiedIgnoringNameMismatch() {
+        string sslDir = Environment.GetEnvironmentVariable("SSL_CERTS_DIR");
+        if (null == sslDir) return;
 
-        string resultMessage = System.Text.Encoding.UTF8.GetString(body);
+        ConnectionFactory cf = new ConnectionFactory();
+        cf.Parameters.Ssl.ServerName = "*";
+        cf.Parameters.Ssl.AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateNameMismatch;
+        cf.Parameters.Ssl.Enabled = true;
+        SendReceive(cf);
+    }
 
-        ch.Close(200, "Closing the channel");
-        conn.Close();
+    [Test]
+    public void TestServerVerified() {
+        string sslDir = Environment.GetEnvironmentVariable("SSL_CERTS_DIR");
+        if (null == sslDir) return;
 
-        Assert.AreEqual(message, resultMessage);
+        ConnectionFactory cf = new ConnectionFactory();
+        cf.Parameters.Ssl.ServerName = System.Net.Dns.GetHostName();
+        cf.Parameters.Ssl.Enabled = true;
+        SendReceive(cf);
     }
 
-
     [Test]
-    public virtual void TestHostWithPort() {
+    public void TestClientAndServerVerified() {
         string sslDir = Environment.GetEnvironmentVariable("SSL_CERTS_DIR");
-        if (null == sslDir) {
-            return;
-        } else {
-            ConnectionFactory cf = new ConnectionFactory();
-
-            cf.Parameters.Ssl.ServerName = System.Net.Dns.GetHostName();
-            cf.Parameters.Ssl.Enabled = true;
+        if (null == sslDir) return;
 
-            IProtocol proto = Protocols.DefaultProtocol;
-            IConnection conn = cf.CreateConnection(proto, "localhost", 5671);
-            SendReceive(conn);
-        }
+        ConnectionFactory cf = new ConnectionFactory();
+        cf.Parameters.Ssl.ServerName = System.Net.Dns.GetHostName();
+        Assert.IsNotNull(sslDir);
+        cf.Parameters.Ssl.CertPath = sslDir + "/client/keycert.p12";
+        string p12Password = Environment.GetEnvironmentVariable("PASSWORD");
+        Assert.IsNotNull(p12Password, "missing PASSWORD env var");
+        cf.Parameters.Ssl.CertPassphrase = p12Password;
+        cf.Parameters.Ssl.Enabled = true;
+        SendReceive(cf);
     }
 }