diff --git a/Doc/newlife.pfx b/Doc/newlife.pfx
new file mode 100644
index 0000000..6145650
Binary files /dev/null and b/Doc/newlife.pfx differ
diff --git a/NewLife.Core/Net/NetServer.cs b/NewLife.Core/Net/NetServer.cs
index 93914b8..118c6e2 100644
--- a/NewLife.Core/Net/NetServer.cs
+++ b/NewLife.Core/Net/NetServer.cs
@@ -110,11 +110,17 @@ public class NetServer : DisposeBase, IServer, IExtend, ILogFeature
/// </remarks>
public Boolean ReuseAddress { get; set; }
- /// <summary>SSL协议。默认None,服务端Default,客户端不启用</summary>
+ /// <summary>SSL协议。默认None</summary>
public SslProtocols SslProtocol { get; set; } = SslProtocols.None;
- /// <summary>SSL证书。服务端使用</summary>
- /// <remarks>var cert = new X509Certificate2("file", "pass");</remarks>
+ /// <summary>X509证书。用于SSL连接时验证证书指纹,可以直接加载pem证书文件,未指定时不验证证书</summary>
+ /// <remarks>
+ /// 可以使用pfx证书文件,也可以使用pem证书文件。
+ /// 服务端必须指定证书。
+ /// </remarks>
+ /// <example>
+ /// var cert = new X509Certificate2("file", "pass");
+ /// </example>
public X509Certificate? Certificate { get; set; }
/// <summary>APM性能追踪器</summary>
diff --git a/NewLife.Core/Net/TcpServer.cs b/NewLife.Core/Net/TcpServer.cs
index d5d574a..ad2e48b 100644
--- a/NewLife.Core/Net/TcpServer.cs
+++ b/NewLife.Core/Net/TcpServer.cs
@@ -65,11 +65,17 @@ public class TcpServer : DisposeBase, ISocketServer, ILogFeature
/// </remarks>
public IPipeline? Pipeline { get; set; }
- /// <summary>SSL协议。默认None,服务端Default,客户端不启用</summary>
+ /// <summary>SSL协议。默认None</summary>
public SslProtocols SslProtocol { get; set; } = SslProtocols.None;
- /// <summary>SSL证书。服务端使用</summary>
- /// <remarks>var cert = new X509Certificate2("file", "pass");</remarks>
+ /// <summary>X509证书。用于SSL连接时验证证书指纹,可以直接加载pem证书文件,未指定时不验证证书</summary>
+ /// <remarks>
+ /// 可以使用pfx证书文件,也可以使用pem证书文件。
+ /// 服务端必须指定证书。
+ /// </remarks>
+ /// <example>
+ /// var cert = new X509Certificate2("file", "pass");
+ /// </example>
public X509Certificate? Certificate { get; set; }
/// <summary>APM性能追踪器</summary>
diff --git a/NewLife.Core/Net/TcpSession.cs b/NewLife.Core/Net/TcpSession.cs
index 49dbd3f..27a1958 100644
--- a/NewLife.Core/Net/TcpSession.cs
+++ b/NewLife.Core/Net/TcpSession.cs
@@ -37,7 +37,13 @@ public class TcpSession : SessionBase, ISocketSession
public SslProtocols SslProtocol { get; set; } = SslProtocols.None;
/// <summary>X509证书。用于SSL连接时验证证书指纹,可以直接加载pem证书文件,未指定时不验证证书</summary>
- /// <remarks>var cert = new X509Certificate2("file", "pass");</remarks>
+ /// <remarks>
+ /// 可以使用pfx证书文件,也可以使用pem证书文件。
+ /// 服务端必须指定证书,客户端可以不指定,除非服务端请求客户端证书。
+ /// </remarks>
+ /// <example>
+ /// var cert = new X509Certificate2("file", "pass");
+ /// </example>
public X509Certificate? Certificate { get; set; }
private SslStream? _Stream;
@@ -105,7 +111,7 @@ public class TcpSession : SessionBase, ISocketSession
var sp = SslProtocol;
- WriteLog("服务端SSL认证 {0} {1}", sp, cert.Issuer);
+ WriteLog("服务端SSL认证,SslProtocol={0},Issuer: {1}", sp, cert.Issuer);
//var cert = new X509Certificate2("file", "pass");
sslStream.AuthenticateAsServer(cert, false, sp, false);
@@ -186,11 +192,16 @@ public class TcpSession : SessionBase, ISocketSession
if (sp != SslProtocols.None)
{
var host = uri.Host ?? uri.Address + "";
- WriteLog("客户端SSL认证 {0} {1}", sp, host);
+ WriteLog("客户端SSL认证,SslProtocol={0},Host={1}", sp, host);
+
+ // 服务端请求客户端证书时,需要传入证书
+ var certs = new X509CertificateCollection();
+ var cert = Certificate;
+ if (cert != null) certs.Add(cert);
var ns = new NetworkStream(sock);
var sslStream = new SslStream(ns, false, OnCertificateValidationCallback);
- sslStream.AuthenticateAsClient(host, new X509CertificateCollection(), sp, false);
+ sslStream.AuthenticateAsClient(host, certs, sp, false);
_Stream = sslStream;
}
diff --git a/Test/Program.cs b/Test/Program.cs
index 56c0e9e..305540a 100644
--- a/Test/Program.cs
+++ b/Test/Program.cs
@@ -73,7 +73,7 @@ public class Program
try
{
#endif
- Test1();
+ Test6();
#if !DEBUG
}
catch (Exception ex)
@@ -332,7 +332,9 @@ public class Program
private static void Test6()
{
- var pfx = new X509Certificate2("../newlife.pfx", "newlife");
+ XTrace.WriteLine("TLS加密通信");
+
+ var pfx = new X509Certificate2("../../../doc/newlife.pfx".GetFullPath(), "newlife");
//Console.WriteLine(pfx);
//using var svr = new ApiServer(1234);
@@ -345,17 +347,20 @@ public class Program
{
Name = "Server",
ProtocolType = NetType.Tcp,
+ //SslProtocol = SslProtocols.Tls12,
+ Certificate = pfx,
+
Log = XTrace.Log,
SessionLog = XTrace.Log,
SocketLog = XTrace.Log,
LogReceive = true
};
- ns.EnsureCreateServer();
- foreach (var item in ns.Servers)
- {
- if (item is TcpServer ts) ts.Certificate = pfx;
- }
+ //ns.EnsureCreateServer();
+ //foreach (var item in ns.Servers)
+ //{
+ // if (item is TcpServer ts) ts.Certificate = pfx;
+ //}
ns.Received += (s, e) =>
{
@@ -367,7 +372,9 @@ public class Program
{
Name = "Client",
Remote = new NetUri("tcp://127.0.0.1:1234"),
- SslProtocol = SslProtocols.Tls,
+ SslProtocol = SslProtocols.Tls12,
+ Certificate = pfx,
+
Log = XTrace.Log,
LogSend = true
};