Improve certificate validation registration

Fixed: Certificate validation during startup
Fixed: Errors removing Windows service

Closes #3037
Closes #3038
pull/1689/head
Mark McDowall 6 years ago committed by Qstick
parent a544d564a9
commit 801eb562eb

@ -5,30 +5,22 @@ using System.Security.Cryptography.X509Certificates;
using NLog;
using NzbDrone.Common.Extensions;
using NzbDrone.Core.Configuration;
using NzbDrone.Core.Lifecycle;
using NzbDrone.Core.Messaging.Events;
namespace NzbDrone.Core.Security
{
public interface IX509CertificateValidationPolicy
{
void Register();
}
public class X509CertificateValidationPolicy : IX509CertificateValidationPolicy
public class X509CertificateValidationService : IHandle<ApplicationStartedEvent>
{
private readonly IConfigService _configService;
private readonly Logger _logger;
public X509CertificateValidationPolicy(IConfigService configService, Logger logger)
public X509CertificateValidationService(IConfigService configService, Logger logger)
{
_configService = configService;
_logger = logger;
}
public void Register()
{
ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError;
}
private bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
var request = sender as HttpWebRequest;
@ -38,11 +30,10 @@ namespace NzbDrone.Core.Security
return true;
}
var req = sender as HttpWebRequest;
var cert2 = certificate as X509Certificate2;
if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
if (cert2 != null && request != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
{
_logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
_logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", request.RequestUri.Authority);
}
if (sslPolicyErrors == SslPolicyErrors.None)
@ -50,7 +41,7 @@ namespace NzbDrone.Core.Security
return true;
}
var host = Dns.GetHostEntry(req.Host);
var ipAddresses = GetIPAddresses(request.Host);
var certificateValidation = _configService.CertificateValidation;
if (certificateValidation == CertificateValidationType.Disabled)
@ -59,7 +50,7 @@ namespace NzbDrone.Core.Security
}
if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
host.AddressList.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress()))
ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress()))
{
return true;
}
@ -69,5 +60,20 @@ namespace NzbDrone.Core.Security
return false;
}
private IPAddress[] GetIPAddresses(string host)
{
if (IPAddress.TryParse(host, out var ipAddress))
{
return new []{ ipAddress };
}
return Dns.GetHostEntry(host).AddressList;
}
public void Handle(ApplicationStartedEvent message)
{
ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError;
}
}
}

@ -10,7 +10,6 @@ using NzbDrone.Common.Instrumentation;
using NzbDrone.Common.Processes;
using NzbDrone.Core.Configuration;
using NzbDrone.Core.Instrumentation;
using NzbDrone.Core.Security;
namespace NzbDrone.Host
{
@ -40,7 +39,6 @@ namespace NzbDrone.Host
var appMode = GetApplicationMode(startupContext);
Start(appMode, startupContext);
_container.Resolve<IX509CertificateValidationPolicy>().Register();
if (startCallback != null)
{

Loading…
Cancel
Save