From f7addece49d7ddfb5252c7217ba6a1ee06a09ea8 Mon Sep 17 00:00:00 2001 From: Mark McDowall Date: Wed, 10 Apr 2019 19:34:21 -0700 Subject: [PATCH] Improve certificate validation registration Fixed: Certificate validation during startup Fixed: Errors removing Windows service Closes #3037 Closes #3038 --- ...cs => X509CertificateValidationService.cs} | 40 +++++++++++-------- src/NzbDrone.Host/Bootstrap.cs | 2 - 2 files changed, 23 insertions(+), 19 deletions(-) rename src/NzbDrone.Core/Security/{X509CertificateValidationPolicy.cs => X509CertificateValidationService.cs} (67%) diff --git a/src/NzbDrone.Core/Security/X509CertificateValidationPolicy.cs b/src/NzbDrone.Core/Security/X509CertificateValidationService.cs similarity index 67% rename from src/NzbDrone.Core/Security/X509CertificateValidationPolicy.cs rename to src/NzbDrone.Core/Security/X509CertificateValidationService.cs index 4b5bc096f..610497885 100644 --- a/src/NzbDrone.Core/Security/X509CertificateValidationPolicy.cs +++ b/src/NzbDrone.Core/Security/X509CertificateValidationService.cs @@ -5,30 +5,22 @@ using System.Security.Cryptography.X509Certificates; using NLog; using NzbDrone.Common.Extensions; using NzbDrone.Core.Configuration; +using NzbDrone.Core.Lifecycle; +using NzbDrone.Core.Messaging.Events; namespace NzbDrone.Core.Security { - public interface IX509CertificateValidationPolicy - { - void Register(); - } - - public class X509CertificateValidationPolicy : IX509CertificateValidationPolicy + public class X509CertificateValidationService : IHandle { private readonly IConfigService _configService; private readonly Logger _logger; - public X509CertificateValidationPolicy(IConfigService configService, Logger logger) + public X509CertificateValidationService(IConfigService configService, Logger logger) { _configService = configService; _logger = logger; } - public void Register() - { - ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError; - } - private bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { var request = sender as HttpWebRequest; @@ -38,11 +30,10 @@ namespace NzbDrone.Core.Security return true; } - var req = sender as HttpWebRequest; var cert2 = certificate as X509Certificate2; - if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA") + if (cert2 != null && request != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA") { - _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority); + _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", request.RequestUri.Authority); } if (sslPolicyErrors == SslPolicyErrors.None) @@ -50,7 +41,7 @@ namespace NzbDrone.Core.Security return true; } - var host = Dns.GetHostEntry(req.Host); + var ipAddresses = GetIPAddresses(request.Host); var certificateValidation = _configService.CertificateValidation; if (certificateValidation == CertificateValidationType.Disabled) @@ -59,7 +50,7 @@ namespace NzbDrone.Core.Security } if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses && - host.AddressList.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress())) + ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress())) { return true; } @@ -69,5 +60,20 @@ namespace NzbDrone.Core.Security return false; } + + private IPAddress[] GetIPAddresses(string host) + { + if (IPAddress.TryParse(host, out var ipAddress)) + { + return new []{ ipAddress }; + } + + return Dns.GetHostEntry(host).AddressList; + } + + public void Handle(ApplicationStartedEvent message) + { + ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError; + } } } diff --git a/src/NzbDrone.Host/Bootstrap.cs b/src/NzbDrone.Host/Bootstrap.cs index d894c359b..8aa0d9379 100644 --- a/src/NzbDrone.Host/Bootstrap.cs +++ b/src/NzbDrone.Host/Bootstrap.cs @@ -10,7 +10,6 @@ using NzbDrone.Common.Instrumentation; using NzbDrone.Common.Processes; using NzbDrone.Core.Configuration; using NzbDrone.Core.Instrumentation; -using NzbDrone.Core.Security; namespace NzbDrone.Host { @@ -40,7 +39,6 @@ namespace NzbDrone.Host var appMode = GetApplicationMode(startupContext); Start(appMode, startupContext); - _container.Resolve().Register(); if (startCallback != null) {