working ssl spec

.gitignore

@@ -161,6 +161,7 @@ publish/
 !**/packages/build/
 # If using the old MSBuild-Integrated Package Restore, uncomment this:
 !**/packages/repositories.config
+!akka-validcert.pfx
 
 # Windows Azure Build Output
 csx/

src/core/Akka.Remote.Tests/Akka.Remote.Tests.csproj

@@ -201,10 +201,9 @@
   <ItemGroup>
     <None Include="app.config" />
     <None Include="packages.config" />
-    <EmbeddedResource Include="Resources\test-cert">
+    <None Include="Resources\akka-validcert.pfx">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </EmbeddedResource>
-    <None Include="Resources\test-cert2" />
+    </None>
   </ItemGroup>
   <ItemGroup>
     <Service Include="{82A7F48D-3B50-4B1E-B82E-3ADA8210C358}" />

src/core/Akka.Remote.Tests/Transport/DotNettySslSupportSpec.cs

@@ -8,6 +8,8 @@
 #endregion
 
 using System;
+using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
 using Akka.Actor;
 using Akka.Configuration;
 using Akka.Event;
@@ -23,38 +25,45 @@ public class DotNettySslSupportSpec : AkkaSpec
     {
         #region Setup / Config
 
-        private readonly ITestOutputHelper _output;
-        private const string CertPath1 = "Resources/test-cert";
-        private const string CertPath2 = "Resources/test-cert2";
+        // valid to 01/01/2037
+        private static readonly string ValidCertPath = "Resources/akka-validcert.pfx";
+
+        private const string Password = "password";
 
-        private static Config TestConfig(string certPath = null)
+        private static Config TestConfig(string certPath, string password)
         {
             var enableSsl = !string.IsNullOrEmpty(certPath);
             var config = ConfigurationFactory.ParseString(@"
             akka {
-                loglevel = DEBUG
                 actor.provider = ""Akka.Remote.RemoteActorRefProvider,Akka.Remote""
                 remote {
                     dot-netty.tcp {
-                        log-transport=true
                         port = 0
                         hostname = ""127.0.0.1""
                         enable-ssl = """ + enableSsl.ToString().ToLowerInvariant() + @"""
                     }
                 }
             }");
-            return enableSsl ? config.WithFallback("akka.remote.dot-netty.tcp.ssl.certificate.path = " + certPath) : config;
+            return !enableSsl
+                ? config
+                : config.WithFallback(@"akka.remote.dot-netty.tcp.ssl.certificate {
+                    path = """ + certPath + @"""
+                    password = """ + password + @"""
+                }");
         }
 
+        private readonly ITestOutputHelper _output;
+        private readonly X509Store _certificateStore;
+
         private ActorSystem sys2;
         private Address address1;
         private Address address2;
 
         private ActorPath echoPath;
 
-        private void Setup(string certPath)
+        private void Setup(string certPath, string password)
         {
-            sys2 = ActorSystem.Create("sys2", TestConfig(certPath));
+            sys2 = ActorSystem.Create("sys2", TestConfig(certPath, password));
             AddTestLogging();
 
             var echo = sys2.ActorOf(Props.Create<Echo>(), "echo");
@@ -64,36 +73,19 @@ private void Setup(string certPath)
             echoPath = new RootActorPath(address2) / "user" / "echo";
         }
 
-        private void AddTestLogging()
-        {
-            if (_output != null)
-            {
-                var system = (ExtendedActorSystem) sys2;
-                var logger = system.SystemActorOf(Props.Create(() => new TestOutputLogger(_output)), "log-test");
-                logger.Tell(new InitializeLogger(system.EventStream));
-            }
-        }
-
-        protected override void Dispose(bool disposing)
-        {
-            base.Dispose(disposing);
-            if (disposing)
-            {
-                Shutdown(sys2, TimeSpan.FromSeconds(3));
-            }
-        }
-
         #endregion
 
-        public DotNettySslSupportSpec(ITestOutputHelper output) : base(TestConfig(CertPath1), output)
+        public DotNettySslSupportSpec(ITestOutputHelper output) : base(TestConfig(ValidCertPath, Password), output)
         {
             _output = output;
+            _certificateStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
+            InstallCertificates();
         }
 
         [Fact]
         public void Secure_transport_should_be_possible_between_systems_sharing_the_same_certificate()
         {
-            Setup(CertPath1);
+            Setup(ValidCertPath, Password);
 
             var probe = CreateTestProbe();
             Sys.ActorSelection(echoPath).Tell("hello", probe.Ref);
@@ -103,24 +95,65 @@ public void Secure_transport_should_be_possible_between_systems_sharing_the_same
         [Fact]
         public void Secure_transport_should_NOT_be_possible_between_systems_using_SSL_and_one_not_using_it()
         {
-            Setup(null);
+            Setup(null, null);
 
             var probe = CreateTestProbe();
-            Sys.ActorSelection(echoPath).Tell("hello", probe.Ref);
-            probe.ExpectNoMsg();
+            Assert.Throws<RemoteTransportException>(() =>
+            {
+                Sys.ActorSelection(echoPath).Tell("hello", probe.Ref);
+                probe.ExpectNoMsg();
+            });
         }
 
-        [Fact]
-        public void Secure_transport_should_NOT_be_possible_between_systems_having_different_certificates()
+        #region helper classes / methods
+
+        private void AddTestLogging()
         {
-            Setup(CertPath2);
+            if (_output != null)
+            {
+                var system = (ExtendedActorSystem)sys2;
+                var logger = system.SystemActorOf(Props.Create(() => new TestOutputLogger(_output)), "log-test");
+                logger.Tell(new InitializeLogger(system.EventStream));
+            }
+        }
 
-            var probe = CreateTestProbe();
-            Sys.ActorSelection(echoPath).Tell("hello", probe.Ref);
-            probe.ExpectNoMsg();
+        private void InstallCertificates()
+        {
+            try
+            {
+                _certificateStore.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly);
+                var cert = new X509Certificate2(ValidCertPath, Password);
+                _certificateStore.Add(cert);
+            }
+            finally
+            {
+                _certificateStore.Close();
+            }
         }
 
-        #region helper classes / methods
+        private void RemoveCertificates()
+        {
+            try
+            {
+                _certificateStore.Open(OpenFlags.ReadWrite | OpenFlags.OpenExistingOnly);
+                var cert = new X509Certificate2(ValidCertPath, Password);
+                _certificateStore.Remove(cert);
+            }
+            finally
+            {
+                _certificateStore.Close();
+            }
+        }
+
+        protected override void Dispose(bool disposing)
+        {
+            base.Dispose(disposing);
+            if (disposing)
+            {
+                Shutdown(sys2, TimeSpan.FromSeconds(3));
+                RemoveCertificates();
+            }
+        }
 
         public class Echo : ReceiveActor
         {

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

@@ -11,6 +11,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Net.Security;
 using System.Net.Sockets;
 using System.Runtime.Serialization;
 using System.Security.Cryptography.X509Certificates;
@@ -310,7 +311,7 @@ private void SetClientPipeline(IChannel channel, Address remoteAddress)
                 var certificate = Settings.Ssl.Certificate;
                 var host = certificate.GetNameInfo(X509NameType.DnsName, false);
 
-                channel.Pipeline.AddFirst("tlsHandler", TlsHandler.Client(host, certificate));
+                channel.Pipeline.AddFirst("TlsHandler", new TlsHandler(stream => new SslStream(stream, true, (sender, cert, chain, errors) => true), new ClientTlsSettings(host)));
             }
 
             SetInitialChannelPipeline(channel);
@@ -319,15 +320,15 @@ private void SetClientPipeline(IChannel channel, Address remoteAddress)
             if (InternalTransport == TransportMode.Tcp)
             {
                 var handler = new TcpClientHandler(this, Logging.GetLogger(System, typeof(TcpClientHandler)), remoteAddress);
-                pipeline.AddLast("clientHandler", handler);
+                pipeline.AddLast("ClientHandler", handler);
             }
         }
 
         private void SetServerPipeline(IChannel channel)
         {
             if (Settings.EnableSsl)
             {
-                channel.Pipeline.AddFirst("tlsHandler", TlsHandler.Server(Settings.Ssl.Certificate));
+                channel.Pipeline.AddFirst("TlsHandler", TlsHandler.Server(Settings.Ssl.Certificate));
             }
 
             SetInitialChannelPipeline(channel);
@@ -336,7 +337,7 @@ private void SetServerPipeline(IChannel channel)
             if (Settings.TransportMode == TransportMode.Tcp)
             {
                 var handler = new TcpServerHandler(this, Logging.GetLogger(System, typeof(TcpServerHandler)), AssociationListenerPromise.Task);
-                pipeline.AddLast("serverHandler", handler);
+                pipeline.AddLast("ServerHandler", handler);
             }
         }