Allow overriding SSL configuration (#697)

* Allow overriding SSL configuration

* Default to legacy SSL configuration on NETFRAMEWORK

* Add basic test of lifecycle

* Add comment for net4.8 divergence

Author: rhysparry

source/Halibut.Tests/ClientServerLifecycleTests.cs

@@ -0,0 +1,167 @@
+// Copyright 2012-2013 Octopus Deploy Pty. Ltd.
+// 
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// 
+//   http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using FluentAssertions;
+using Halibut.Diagnostics;
+using Halibut.ServiceModel;
+using Halibut.Tests.Support;
+using NUnit.Framework;
+
+namespace Halibut.Tests
+{
+    public class ClientServerLifecycleTests : BaseTest
+    {
+        [Test]
+        public async Task ListeningConfiguration()
+        {
+            await using var server = RunServer(out var serverPort);
+
+            await using var runtime = CreateRuntimeForListener();
+            var client = CreateClient(runtime, serverPort);
+            var result = await client.AddAsync(2, 2);
+            result.Should().Be(4);
+        }
+
+        [Test]
+        public async Task PollingConfiguration()
+        {
+            await using var server = RunServer(out var serverPort);
+            await using var runtime = CreateRuntimeForPoller(server, out var client);
+            var result = await client.AddAsync(2, 2);
+            result.Should().Be(4);
+        }
+
+        [Test]
+        public async Task ListeningThenPollingConfiguration()
+        {
+            // On NET4.8 with SslProtocols.None this will result in SSPI errors
+            await ListeningConfiguration();
+            await PollingConfiguration();
+        }
+
+        HalibutRuntime CreateRuntimeForListener()
+        {
+            var runtime = new HalibutRuntimeBuilder()
+                .WithServerCertificate(Certificates.TentacleListening)
+                .WithLogFactory(new TestLogFactory(HalibutLog))
+                .Build();
+            return runtime;
+        }
+
+        HalibutRuntime CreateRuntimeForPoller(HalibutRuntime serverRuntime, out IAsyncClientCalculatorService client)
+        {
+            var runtime = new HalibutRuntimeBuilder()
+                .WithServerCertificate(Certificates.TentaclePolling)
+                .WithLogFactory(new TestLogFactory(HalibutLog))
+                .Build();
+            var port = runtime.Listen();
+            runtime.Trust(Certificates.OctopusPublicThumbprint);
+
+            var pollEndpoint = new ServiceEndPoint(
+                baseUri: new Uri($"https://localhost:{port}/"),
+                remoteThumbprint: Certificates.TentaclePollingPublicThumbprint,
+                halibutTimeoutsAndLimits: runtime.TimeoutsAndLimits
+            )
+            {
+                TcpClientConnectTimeout = TimeSpan.FromSeconds(5)
+            };
+            var pollingUri = new Uri("poll://TEST-POLL");
+            serverRuntime.Poll(pollingUri, pollEndpoint, CancellationToken);
+            var clientEndpoint = new ServiceEndPoint(
+                baseUri: pollingUri,
+                remoteThumbprint: Certificates.OctopusPublicThumbprint,
+                halibutTimeoutsAndLimits: runtime.TimeoutsAndLimits
+            );
+            client = runtime.CreateAsyncClient<ICalculatorService, IAsyncClientCalculatorService>(clientEndpoint);
+            
+            return runtime;
+        }
+
+        static IAsyncClientCalculatorService CreateClient(HalibutRuntime runtime, int port)
+        {
+            var endpoint = new ServiceEndPoint(
+                baseUri: $"https://localhost:{port}",
+                remoteThumbprint: Certificates.OctopusPublicThumbprint,
+                halibutTimeoutsAndLimits: runtime.TimeoutsAndLimits
+            );
+            var client = runtime
+                .CreateAsyncClient<ICalculatorService, IAsyncClientCalculatorService>(endpoint);
+            return client;
+        }
+
+        static IServiceFactory CreateServiceFactory()
+        {
+            var services = new DelegateServiceFactory();
+            services.Register<ICalculatorService, IAsyncCalculatorService>(() => new AsyncCalculatorService());
+            return services;
+        }
+
+        HalibutRuntime RunServer(out int port)
+        {
+            var services = CreateServiceFactory();
+
+            var runtime = new HalibutRuntimeBuilder()
+                .WithServerCertificate(Certificates.Octopus)
+                .WithServiceFactory(services)
+                .WithLogFactory(new TestLogFactory(HalibutLog))
+                .Build();
+
+            runtime.Trust(Certificates.TentacleListeningPublicThumbprint);
+            runtime.Trust(Certificates.TentaclePollingPublicThumbprint);
+            port = runtime.Listen();
+
+            return runtime;
+        }
+
+        public class TestLogFactory : ILogFactory
+        {
+            readonly ILog _log;
+            public TestLogFactory(ILog log)
+            {
+                _log = log;
+            }
+
+            public ILog ForEndpoint(Uri endpoint) => _log;
+
+            public ILog ForPrefix(string endPoint) => _log;
+        }
+        
+        public interface ICalculatorService
+        {
+            long Add(long a, long b);
+        }
+    
+        public interface IAsyncCalculatorService
+        {
+            Task<long> AddAsync(long a, long b, CancellationToken cancellationToken);
+        }
+
+        public interface IAsyncClientCalculatorService
+        {
+            Task<long> AddAsync(long a, long b);
+        }
+
+        public class AsyncCalculatorService : IAsyncCalculatorService
+        {
+            public async Task<long> AddAsync(long a, long b, CancellationToken cancellationToken)
+            {
+                await Task.CompletedTask;
+                return a + b;
+            }
+        }
+    }
+}

source/Halibut.Tests/Transport/SecureClientFixture.cs

@@ -80,7 +80,13 @@ public async Task SecureClientClearsPoolWhenAllConnectionsCorrupt()
                 Params = new object[] { "Fred" }
             };
 
-            var tcpConnectionFactory = new TcpConnectionFactory(Certificates.Octopus, halibutTimeoutsAndLimits, new StreamFactory(), NoOpSecureConnectionObserver.Instance);
+            var tcpConnectionFactory = new TcpConnectionFactory(
+                Certificates.Octopus,
+                halibutTimeoutsAndLimits,
+                new StreamFactory(),
+                NoOpSecureConnectionObserver.Instance,
+                SslConfiguration.Default
+            );
             var secureClient = new SecureListeningClient(GetProtocol, endpoint, Certificates.Octopus, log, connectionManager, tcpConnectionFactory);
             ResponseMessage response = null!;
 

source/Halibut.Tests/Transport/SecureListenerFixture.cs

@@ -74,7 +74,8 @@ public async Task SecureListenerDoesNotCreateHundredsOfIoEventsPerSecondOnWindow
                     timeoutsAndLimits,
                     new StreamFactory(),
                     NoOpConnectionsObserver.Instance,
-                    NoOpSecureConnectionObserver.Instance
+                    NoOpSecureConnectionObserver.Instance,
+                    SslConfiguration.Default
                 );
 
                 var idleAverage = CollectCounterValues(opsPerSec)

source/Halibut/HalibutRuntime.cs

@@ -46,6 +46,7 @@ public class HalibutRuntime : IHalibutRuntime
         readonly ISecureConnectionObserver secureConnectionObserver;
         readonly IActiveTcpConnectionsLimiter activeTcpConnectionsLimiter;
         readonly IControlMessageObserver controlMessageObserver;
+        readonly ISslConfigurationProvider sslConfigurationProvider;
 
         internal HalibutRuntime(
             IServiceFactory serviceFactory,
@@ -61,7 +62,8 @@ internal HalibutRuntime(
             IRpcObserver rpcObserver,
             IConnectionsObserver connectionsObserver, 
             IControlMessageObserver controlMessageObserver,
-            ISecureConnectionObserver secureConnectionObserver
+            ISecureConnectionObserver secureConnectionObserver,
+            ISslConfigurationProvider sslConfigurationProvider
         )
         {
             this.serverCertificate = serverCertificate;
@@ -78,9 +80,10 @@ ISecureConnectionObserver secureConnectionObserver
             this.connectionsObserver = connectionsObserver;
             this.secureConnectionObserver = secureConnectionObserver;
             this.controlMessageObserver = controlMessageObserver;
+            this.sslConfigurationProvider = sslConfigurationProvider;
 
             connectionManager = new ConnectionManagerAsync();
-            this.tcpConnectionFactory = new TcpConnectionFactory(serverCertificate, TimeoutsAndLimits, streamFactory, secureConnectionObserver);
+            tcpConnectionFactory = new TcpConnectionFactory(serverCertificate, TimeoutsAndLimits, streamFactory, secureConnectionObserver, sslConfigurationProvider);
             activeTcpConnectionsLimiter = new ActiveTcpConnectionsLimiter(TimeoutsAndLimits);
         }
 
@@ -135,7 +138,8 @@ public int Listen(IPEndPoint endpoint)
                 TimeoutsAndLimits,
                 streamFactory,
                 connectionsObserver,
-                secureConnectionObserver
+                secureConnectionObserver,
+                sslConfigurationProvider
             );
 
             listeners.DoWithExclusiveAccess(l =>
@@ -202,7 +206,7 @@ public async Task<ServiceEndPoint> DiscoverAsync(Uri uri, CancellationToken canc
 
         public async Task<ServiceEndPoint> DiscoverAsync(ServiceEndPoint endpoint, CancellationToken cancellationToken)
         {
-            var client = new DiscoveryClient(streamFactory);
+            var client = new DiscoveryClient(streamFactory, sslConfigurationProvider);
             return await client.DiscoverAsync(endpoint, TimeoutsAndLimits, cancellationToken);
         }
 

source/Halibut/HalibutRuntimeBuilder.cs

@@ -5,6 +5,7 @@
 using Halibut.Queue;
 using Halibut.Queue.MessageStreamWrapping;
 using Halibut.ServiceModel;
+using Halibut.Transport;
 using Halibut.Transport.Observability;
 using Halibut.Transport.Protocol;
 using Halibut.Transport.Streams;
@@ -31,6 +32,7 @@ public class HalibutRuntimeBuilder
         ISecureConnectionObserver? secureConnectionObserver;
         IControlMessageObserver? controlMessageObserver;
         MessageStreamWrappers queueMessageStreamWrappers = new();
+        ISslConfigurationProvider? sslConfigurationProvider;
 
         public HalibutRuntimeBuilder WithQueueMessageStreamWrappers(MessageStreamWrappers queueMessageStreamWrappers)
         {
@@ -50,6 +52,12 @@ public HalibutRuntimeBuilder WithSecureConnectionObserver(ISecureConnectionObser
             return this;
         }
 
+        public HalibutRuntimeBuilder WithSslConfigurationProvider(ISslConfigurationProvider sslConfigurationProvider)
+        {
+            this.sslConfigurationProvider = sslConfigurationProvider;
+            return this;
+        }
+
         internal HalibutRuntimeBuilder WithStreamFactory(IStreamFactory streamFactory)
         {
             this.streamFactory = streamFactory;
@@ -185,6 +193,7 @@ public HalibutRuntime Build()
             var secureConnectionObserver = this.secureConnectionObserver ?? NoOpSecureConnectionObserver.Instance;
             var rpcObserver = this.rpcObserver ?? new NoRpcObserver();
             var controlMessageObserver = this.controlMessageObserver ?? new NoOpControlMessageObserver();
+            var sslConfigurationProvider = this.sslConfigurationProvider ?? SslConfiguration.Default;
 
             var halibutRuntime = new HalibutRuntime(
                 serviceFactory,
@@ -200,7 +209,8 @@ public HalibutRuntime Build()
                 rpcObserver,
                 connectionsObserver,
                 controlMessageObserver,
-                secureConnectionObserver
+                secureConnectionObserver,
+                sslConfigurationProvider
             );
 
             if (onUnauthorizedClientConnect is not null)

source/Halibut/Transport/DefaultSslConfigurationProvider.cs

@@ -0,0 +1,27 @@
+// Copyright 2012-2013 Octopus Deploy Pty. Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System;
+using System.Security.Authentication;
+
+namespace Halibut.Transport
+{
+    /// <summary>
+    /// Provides a default implementation of ISslConfigurationProvider that uses the system defaults.
+    /// </summary>
+    public class DefaultSslConfigurationProvider : ISslConfigurationProvider
+    {
+        public SslProtocols SupportedProtocols => SslProtocols.None;
+    }
+}

source/Halibut/Transport/DiscoveryClient.cs

@@ -16,10 +16,17 @@ public class DiscoveryClient
         readonly LogFactory logs = new ();
 
         readonly IStreamFactory streamFactory;
+        readonly ISslConfigurationProvider sslConfigurationProvider;
 
         public DiscoveryClient(IStreamFactory streamFactory)
+            : this(streamFactory, SslConfiguration.Default)
+        {
+        }
+
+        public DiscoveryClient(IStreamFactory streamFactory, ISslConfigurationProvider sslConfigurationProvider)
         {
             this.streamFactory = streamFactory;
+            this.sslConfigurationProvider = sslConfigurationProvider;
         }
 
         public async Task<ServiceEndPoint> DiscoverAsync(ServiceEndPoint serviceEndpoint, HalibutTimeoutsAndLimits halibutTimeoutsAndLimits, CancellationToken cancellationToken)
@@ -45,10 +52,15 @@ public async Task<ServiceEndPoint> DiscoverAsync(ServiceEndPoint serviceEndpoint
                             await ssl.AuthenticateAsClientAsync(
                                 serviceEndpoint.BaseUri.Host,
                                 new X509Certificate2Collection(),
-                                SslConfiguration.SupportedProtocols,
+                                sslConfigurationProvider.SupportedProtocols,
                                 false);
 #else
-                            await ssl.AuthenticateAsClientEnforcingTimeout(serviceEndpoint, new X509Certificate2Collection(), cancellationToken);
+                            await ssl.AuthenticateAsClientEnforcingTimeout(
+                                serviceEndpoint,
+                                new X509Certificate2Collection(),
+                                sslConfigurationProvider,
+                                cancellationToken
+                            );
 #endif
                             await ssl.WriteAsync(HelloLine, 0, HelloLine.Length, cancellationToken);
                             await ssl.FlushAsync(cancellationToken);

source/Halibut/Transport/ISslConfigurationProvider.cs

@@ -0,0 +1,23 @@
+// Copyright 2012-2013 Octopus Deploy Pty. Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System.Security.Authentication;
+
+namespace Halibut.Transport
+{
+    public interface ISslConfigurationProvider
+    {
+        public SslProtocols SupportedProtocols { get; }
+    }
+}