Improve certificate validation registration

Fixed: Certificate validation during startup Fixed: Errors removing Windows service Closes #3037 Closes #3038
2024-12-14 11:23:42 +02:00 · 2019-04-10 19:34:21 -07:00 · 2019-04-10 19:34:21 -07:00 · 0911abcfc0
commit 0911abcfc0
parent 04850331ce
3 changed files with 24 additions and 20 deletions
--- a/src/NzbDrone.Core/NzbDrone.Core.csproj
+++ b/src/NzbDrone.Core/NzbDrone.Core.csproj
@ -1168,7 +1168,7 @@
    <Compile Include="RootFolders\UnmappedFolder.cs" />
    <Compile Include="Hashing.cs" />
    <Compile Include="Security\CertificateValidationType.cs" />
-    <Compile Include="Security\X509CertificateValidationPolicy.cs" />
+    <Compile Include="Security\X509CertificateValidationService.cs" />
    <Compile Include="SeriesStats\SeasonStatistics.cs" />
    <Compile Include="SeriesStats\SeriesStatistics.cs" />
    <Compile Include="SeriesStats\SeriesStatisticsRepository.cs" />
--- a/src/NzbDrone.Core/Security/X509CertificateValidationService.cs
+++ b/src/NzbDrone.Core/Security/X509CertificateValidationService.cs
@ -5,30 +5,22 @@
 using NLog;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Core.Configuration;
+using NzbDrone.Core.Lifecycle;
+using NzbDrone.Core.Messaging.Events;

 namespace NzbDrone.Core.Security
 {
-    public interface IX509CertificateValidationPolicy
-    {
-        void Register();
-    }
-
-    public class X509CertificateValidationPolicy : IX509CertificateValidationPolicy
+    public class X509CertificateValidationService : IHandle<ApplicationStartedEvent>
    {
        private readonly IConfigService _configService;
        private readonly Logger _logger;

-        public X509CertificateValidationPolicy(IConfigService configService, Logger logger)
+        public X509CertificateValidationService(IConfigService configService, Logger logger)
        {
            _configService = configService;
            _logger = logger;
        }

-        public void Register()
-        {
-            ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError;
-        }
-
        private bool ShouldByPassValidationError(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            var request = sender as HttpWebRequest;
@ -38,11 +30,10 @@ private bool ShouldByPassValidationError(object sender, X509Certificate certific
                return true;
            }

-            var req = sender as HttpWebRequest;
            var cert2 = certificate as X509Certificate2;
-            if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+            if (cert2 != null && request != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
            {
-                _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
+                _logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", request.RequestUri.Authority);
            }

            if (sslPolicyErrors == SslPolicyErrors.None)
@ -50,7 +41,7 @@ private bool ShouldByPassValidationError(object sender, X509Certificate certific
                return true;
            }

-            var host = Dns.GetHostEntry(req.Host);
+            var ipAddresses = GetIPAddresses(request.Host);
            var certificateValidation = _configService.CertificateValidation;

            if (certificateValidation == CertificateValidationType.Disabled)
@ -59,7 +50,7 @@ private bool ShouldByPassValidationError(object sender, X509Certificate certific
            }

            if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
-                host.AddressList.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress()))
+                ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress()))
            {
                return true;
            }
@ -69,5 +60,20 @@ private bool ShouldByPassValidationError(object sender, X509Certificate certific

            return false;
        }
+
+        private IPAddress[] GetIPAddresses(string host)
+        {
+            if (IPAddress.TryParse(host, out var ipAddress))
+            {
+                return new []{ ipAddress };
+            }
+
+            return Dns.GetHostEntry(host).AddressList;
+        }
+
+        public void Handle(ApplicationStartedEvent message)
+        {
+            ServicePointManager.ServerCertificateValidationCallback = ShouldByPassValidationError;
+        }
    }
 }
--- a/src/NzbDrone.Host/Bootstrap.cs
+++ b/src/NzbDrone.Host/Bootstrap.cs
@ -9,7 +9,6 @@
 using NzbDrone.Common.Processes;
 using NzbDrone.Core.Configuration;
 using NzbDrone.Core.Instrumentation;
-using NzbDrone.Core.Security;

 namespace NzbDrone.Host
 {
@ -36,7 +35,6 @@ public static void Start(StartupContext startupContext, IUserAlert userAlert, Ac
                var appMode = GetApplicationMode(startupContext);

                Start(appMode, startupContext);
-                _container.Resolve<IX509CertificateValidationPolicy>().Register();

                if (startCallback != null)
                {