Always use system TLS defaults

source/Halibut.TestUtils.CompatBinary.SchannelProbe/Halibut.TestUtils.CompatBinary.SchannelProbe.csproj

@@ -0,0 +1,23 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <LangVersion>9.0</LangVersion>
+        <RootNamespace>Halibut.TestUtils.SampleProgram.SchannelProbe</RootNamespace>
+        <Nullable>enable</Nullable>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    </PropertyGroup>
+
+    <PropertyGroup Condition="!$([MSBuild]::IsOSUnixLike())">
+        <TargetFrameworks>net48;net8.0</TargetFrameworks>
+    </PropertyGroup>
+    <PropertyGroup Condition="$([MSBuild]::IsOSUnixLike())">
+        <TargetFramework>net8.0</TargetFramework>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\Halibut\Halibut.csproj" />
+        <ProjectReference Include="..\Halibut.TestUtils.Contracts\Halibut.TestUtils.Contracts.csproj" />
+    </ItemGroup>
+
+</Project>

source/Halibut.TestUtils.CompatBinary.SchannelProbe/Program.cs

@@ -0,0 +1,137 @@
+using System;
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+using System.Threading.Tasks;
+using Halibut;
+using Halibut.Diagnostics;
+using Halibut.ServiceModel;
+using Halibut.TestUtils.Contracts;
+
+namespace Halibut.TestUtils.SampleProgram.SchannelProbe
+{
+    public class Program
+    {
+        public static async Task<int> Main()
+        {
+            using var cts = new CancellationTokenSource(GetTestTimeout());
+            using var _ = cts.Token.Register(() => Environment.Exit(-10060));
+
+            var mode = GetSetting("mode");
+            Console.WriteLine($"Mode is: {mode}");
+
+            if (mode.Equals("serviceonly", StringComparison.OrdinalIgnoreCase))
+            {
+                await RunExternalService(cts.Token);
+            }
+            else
+            {
+                Console.WriteLine($"Unknown mode: {mode}");
+                throw new Exception($"Unknown mode: {mode}");
+            }
+
+            return 1;
+        }
+
+        static async Task RunExternalService(CancellationToken cancellationToken)
+        {
+            var serviceCert = new X509Certificate2(GetSetting("tentaclecertpath"));
+            var octopusThumbprint = GetSetting("octopusthumbprint");
+            var serviceConnectionType = ParseServiceConnectionType(GetSetting("ServiceConnectionType"));
+
+            var services = new DelegateServiceFactory();
+            services.Register<ISayHelloService, IAsyncSayHelloService>(() => new SayHelloServiceImpl());
+
+            using var tentacle = new HalibutRuntimeBuilder()
+                .WithServiceFactory(services)
+                .WithServerCertificate(serviceCert)
+                .WithLogFactory(new LogFactory())
+                .Build();
+
+            switch (serviceConnectionType)
+            {
+                case ServiceConnectionType.Polling:
+                    var addressToPoll = GetSetting("octopusservercommsport");
+                    tentacle.Poll(
+                        new Uri("poll://SQ-TENTAPOLL"),
+                        new ServiceEndPoint(new Uri(addressToPoll), octopusThumbprint, null, new HalibutTimeoutsAndLimits()),
+                        cancellationToken);
+                    break;
+                case ServiceConnectionType.Listening:
+                    var port = tentacle.Listen();
+                    Console.WriteLine($"Listening on port: {port}");
+                    tentacle.Trust(octopusThumbprint);
+                    break;
+                default:
+                    throw new ArgumentOutOfRangeException(nameof(serviceConnectionType));
+            }
+
+            Console.WriteLine("RunningAndReady");
+            await Console.Out.FlushAsync();
+            await WaitUntilSignaledToDie();
+        }
+
+        static async Task WaitUntilSignaledToDie()
+        {
+            var stayAliveFile = GetSetting("CompatBinaryStayAliveFilePath");
+            while (true)
+            {
+                try
+                {
+                    using (new FileStream(stayAliveFile, FileMode.Open, FileAccess.Read, FileShare.None))
+                    {
+                    }
+
+                    try
+                    {
+                        File.Delete(stayAliveFile);
+                    }
+                    finally
+                    {
+                        Environment.Exit(0);
+                    }
+                }
+                catch (Exception)
+                {
+                }
+
+                if (!File.Exists(stayAliveFile))
+                {
+                    Environment.Exit(0);
+                }
+
+                await Task.Delay(2000);
+            }
+        }
+
+        static ServiceConnectionType ParseServiceConnectionType(string s)
+        {
+            if (Enum.TryParse(s, out ServiceConnectionType result))
+                return result;
+            throw new Exception($"Unknown service connection type '{s}'");
+        }
+
+        static TimeSpan GetTestTimeout()
+        {
+            var timeoutString = GetSetting("TestTimeout");
+            return string.IsNullOrWhiteSpace(timeoutString) ? TimeSpan.FromMinutes(15) : TimeSpan.Parse(timeoutString);
+        }
+
+        static string GetSetting(string name) => Environment.GetEnvironmentVariable(name) ?? string.Empty;
+    }
+
+    enum ServiceConnectionType
+    {
+        Polling,
+        Listening
+    }
+
+    class SayHelloServiceImpl : IAsyncSayHelloService
+    {
+        public async Task<string> SayHelloAsync(string name, CancellationToken cancellationToken)
+        {
+            await Task.CompletedTask;
+            return name + "...";
+        }
+    }
+}

source/Halibut.TestUtils.Contracts/ISayHelloService.cs

@@ -0,0 +1,15 @@
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Halibut.TestUtils.Contracts
+{
+    public interface ISayHelloService
+    {
+        string SayHello(string name);
+    }
+
+    public interface IAsyncSayHelloService
+    {
+        Task<string> SayHelloAsync(string name, CancellationToken cancellationToken);
+    }
+}

source/Halibut.Tests.DotMemory/MemoryFixture.cs

@@ -59,11 +59,26 @@ public void TcpClientsAreDisposedCorrectly()
                 .WriteTo.NUnitOutput()
                 .CreateLogger();
 
+            // Two separate HalibutRuntime instances are used to avoid an SChannel session cache
+            // collision on Windows (.NET Framework / SslProtocols.None). SChannel's TLS session
+            // cache is per-process and keyed on certificate + host. If a single runtime acts as
+            // both a TLS server (accepting inbound connections) and a TLS client (making outbound
+            // polling connections) using the same certificate, SChannel can incorrectly reuse a
+            // server-side session for a client-side handshake, causing SSPI/TLS failures.
+            //
+            // - server:        pure TLS server — accepts inbound connections from listening tentacles.
+            //                  Uses Certificates.Octopus.
+            // - pollingServer: pure TLS client — only makes outbound polling connections to tentacles.
+            //                  Must use a DIFFERENT certificate (Certificates.TentacleListening) so
+            //                  that SChannel never sees the same cert in both server and client roles
+            //                  within this process.
             HalibutRuntime? server = null;
+            HalibutRuntime? pollingServer = null;
 
             try
             {
                 server = RunServer(Certificates.Octopus, out var port);
+                pollingServer = RunPollingServer(Certificates.TentacleListening);
 
                 var expectedTcpClientCount = 1; //server listen = 1 tcpclient
                 //valid requests
@@ -75,13 +90,15 @@ public void TcpClientsAreDisposedCorrectly()
                 for (var i = 0; i < NumberOfClients; i++)
                 {
                     expectedTcpClientCount++; // each time the server polls, it keeps a tcpclient (as we dont have support to say StopPolling)
-                    RunPollingClient(server, Certificates.TentaclePolling, Certificates.TentaclePollingPublicThumbprint).GetAwaiter().GetResult();
+                    RunPollingClient(pollingServer, Certificates.TentaclePolling, Certificates.TentaclePollingPublicThumbprint).GetAwaiter().GetResult();
                 }
 
 #if SUPPORTS_WEB_SOCKET_CLIENT
+                //setup polling websocket
+                AddSslCertToLocalStoreAndRegisterFor("0.0.0.0:8434");
                 for (var i = 0; i < NumberOfClients; i++)
                 {
-                    RunWebSocketPollingClient(server, Certificates.TentaclePolling, Certificates.TentaclePollingPublicThumbprint, Certificates.OctopusPublicThumbprint).GetAwaiter().GetResult();
+                    RunWebSocketPollingClient(pollingServer, Certificates.TentaclePolling, Certificates.TentaclePollingPublicThumbprint, Certificates.TentacleListeningPublicThumbprint).GetAwaiter().GetResult();
                 }
 #endif
 
@@ -106,6 +123,7 @@ public void TcpClientsAreDisposedCorrectly()
             finally
             {
                 server?.DisposeAsync().GetAwaiter().GetResult();
+                pollingServer?.DisposeAsync().GetAwaiter().GetResult();
             }
         }
 
@@ -142,16 +160,33 @@ static HalibutRuntime RunServer(X509Certificate2 serverCertificate, out int port
                 .WithLogFactory(new TestContextLogFactory("client", LogLevel.Info))
                 .Build();
 
-            //set up listening  
+            // Trust the listening tentacle certificate for inbound connections.
+            // This runtime only accepts connections — it never makes outbound polling connections —
+            // keeping it in a pure TLS server role (see declaration comment above).
             server.Trust(Certificates.TentacleListeningPublicThumbprint);
             port = server.Listen();
 
-            //setup polling websocket
-            AddSslCertToLocalStoreAndRegisterFor("0.0.0.0:8434");
-
             return server;
         }
 
+        // pollingServer intentionally uses Certificates.TentacleListening rather than
+        // Certificates.Octopus (which server uses). This keeps the two certificates in distinct
+        // TLS roles within this process: Octopus is used only as a TLS server cert (by server),
+        // and TentacleListening is used only as a TLS client cert (here, and in RunListeningClient).
+        // Using the same cert in both roles would trigger an SChannel session-cache collision on
+        // Windows with SslProtocols.None (see declaration comment above).
+        static HalibutRuntime RunPollingServer(X509Certificate2 serverCertificate)
+        {
+            var services = new DelegateServiceFactory();
+            services.Register<ICalculatorService, IAsyncCalculatorService>(() => new AsyncCalculatorService());
+
+            return new HalibutRuntimeBuilder()
+                .WithServerCertificate(serverCertificate)
+                .WithServiceFactory(services)
+                .WithLogFactory(new TestContextLogFactory("polling-server", LogLevel.Info))
+                .Build();
+        }
+
         static async Task RunListeningClient(X509Certificate2 clientCertificate, int port, string remoteThumbprint, bool expectSuccess = true)
         {
             await using (var runtime = new HalibutRuntimeBuilder().WithServerCertificate(clientCertificate).Build())
@@ -169,9 +204,13 @@ static async Task RunPollingClient(HalibutRuntime server, X509Certificate2 clien
                        .Build())
             {
                 runtime.Listen(new IPEndPoint(IPAddress.IPv6Any, 8433));
-                runtime.Trust(Certificates.OctopusPublicThumbprint);
+                // Trust the thumbprint of pollingServer's certificate (TentacleListening), which is
+                // the cert pollingServer presents when it dials in to establish the polling connection.
+                runtime.Trust(Certificates.TentacleListeningPublicThumbprint);
 
                 //setup polling
+                // The remote thumbprint here is this runtime's own certificate (TentaclePolling),
+                // which pollingServer verifies when it connects to port 8433.
                 var serverEndpoint = new ServiceEndPoint(new Uri("https://localhost:8433"), Certificates.TentaclePollingPublicThumbprint, runtime.TimeoutsAndLimits)
                 {
                     TcpClientConnectTimeout = TimeSpan.FromSeconds(5)

source/Halibut.Tests/BadCertificatesTests.cs

@@ -30,6 +30,7 @@ public async Task SucceedsWhenPollingServicePresentsWrongCertificate_ButServiceI
             var clientTrustProvider = new DefaultTrustProvider();
             var unauthorizedThumbprint = "";
             var firstCall = true;
+            var serviceThumbprint = "";
 
             var unauthorizedClientHasConnected = new TaskCompletionSource<bool>();
             CancellationToken.Register(() => unauthorizedClientHasConnected.TrySetCanceled()); // backup to fail the test in case it never connects
@@ -43,7 +44,7 @@ public async Task SucceedsWhenPollingServicePresentsWrongCertificate_ButServiceI
                        {
                            if (firstCall)
                            {
-                               clientTrustProvider.IsTrusted(CertAndThumbprint.TentaclePolling.Thumbprint).Should().BeFalse();
+                               clientTrustProvider.IsTrusted(serviceThumbprint).Should().BeFalse();
                                firstCall = false;
                            }
 
@@ -53,6 +54,8 @@ public async Task SucceedsWhenPollingServicePresentsWrongCertificate_ButServiceI
                        })
                        .Build(CancellationToken))
             {
+                serviceThumbprint = clientAndBuilder.ServiceThumbprint;
+
                 // Act
                 var clientCountingService = clientAndBuilder.CreateAsyncClient<ICountingService, IAsyncClientCountingService>();
                 await clientCountingService.IncrementAsync();
@@ -62,8 +65,8 @@ public async Task SucceedsWhenPollingServicePresentsWrongCertificate_ButServiceI
                 // Assert
                 countingService.CurrentValue().Should().Be(1);
 
-                clientTrustProvider.IsTrusted(CertAndThumbprint.TentaclePolling.Thumbprint).Should().BeTrue();
-                unauthorizedThumbprint.Should().Be(CertAndThumbprint.TentaclePolling.Thumbprint);
+                clientTrustProvider.IsTrusted(serviceThumbprint).Should().BeTrue();
+                unauthorizedThumbprint.Should().Be(serviceThumbprint);
             }
         }
 
@@ -93,6 +96,8 @@ public async Task FailWhenPollingServicePresentsWrongCertificate_ButServiceIsCon
                        })
                        .Build(CancellationToken))
             {
+                var serviceThumbprint = clientAndBuilder.ServiceThumbprint;
+
                 using var cts = new CancellationTokenSource();
                 var clientCountingService = clientAndBuilder.CreateAsyncClient<ICountingService, IAsyncClientCountingServiceWithOptions>(point =>
                 {
@@ -105,7 +110,7 @@ public async Task FailWhenPollingServicePresentsWrongCertificate_ButServiceIsCon
                 // Interestingly the message exchange error is logged to a non polling looking URL, perhaps because it has not been identified?
                 Wait.UntilActionSucceeds(() => {
                         AllLogs(serviceLoggers).Select(l => l.FormattedMessage).ToArray()
-                            .Should().Contain(s => s.Contains("and attempted a message exchange, but it presented a client certificate with the thumbprint '4098EC3A2FC2B92B97339D3831BA230CC1DD590F' which is not in the list of thumbprints that we trust"));
+                            .Should().Contain(s => s.Contains($"and attempted a message exchange, but it presented a client certificate with the thumbprint '{serviceThumbprint}' which is not in the list of thumbprints that we trust"));
                     },
                     TimeSpan.FromSeconds(10),
                     Logger,
@@ -124,7 +129,7 @@ public async Task FailWhenPollingServicePresentsWrongCertificate_ButServiceIsCon
                 // Assert
                 countingService.CurrentValue().Should().Be(0, "With a bad certificate the request never should have been made");
 
-                unauthorizedThumbprint.Should().Be(CertAndThumbprint.TentaclePolling.Thumbprint);
+                unauthorizedThumbprint.Should().Be(serviceThumbprint);
             }
         }
 
@@ -195,8 +200,8 @@ public async Task FailWhenClientPresentsWrongCertificateToListeningService(Clien
 
                 serviceLoggers[serviceLoggers.Keys.First(x => x != nameof(MessageSerializer))].GetLogs().Should()
                     .Contain(log => log.FormattedMessage
-                        .Contains("and attempted a message exchange, but it presented a client certificate with the thumbprint " +
-                                  "'76225C0717A16C1D0BA4A7FFA76519D286D8A248' which is not in the list of thumbprints that we trust"));
+                        .Contains("and attempted a message exchange, but it presented a client certificate with the thumbprint") 
+                        && log.FormattedMessage.Contains("which is not in the list of thumbprints that we trust"));
             }
         }
 
@@ -254,11 +259,13 @@ public async Task FailWhenListeningServicePresentsWrongCertificate(ClientAndServ
                        .WithCountingService(countingService)
                        .Build(CancellationToken))
             {
+                var serviceThumbprint = clientAndBuilder.ServiceThumbprint;
+
                 var clientCountingService = clientAndBuilder.CreateAsyncClient<ICountingService, IAsyncClientCountingService>();
                 (await AssertionExtensions.Should(() => clientCountingService.IncrementAsync()).ThrowAsync<HalibutClientException>())
                     .And.Message.Should().Contain("" +
                                                   "We expected the server to present a certificate with the thumbprint 'EC32122053C6BFF582F8246F5697633D06F0F97F'. " +
-                                                  "Instead, it presented a certificate with a thumbprint of '36F35047CE8B000CF4C671819A2DD1AFCDE3403D'");
+                                                  $"Instead, it presented a certificate with a thumbprint of '{serviceThumbprint}'");
                 countingService.CurrentValue().Should().Be(0, "With a bad certificate the request never should have been made");
             }
         }
@@ -275,6 +282,8 @@ public async Task FailWhenPollingServicePresentsWrongCertificate(ClientAndServic
                        .RecordingClientLogs(out var serviceLoggers)
                        .Build(CancellationToken))
             {
+                var serviceThumbprint = clientAndBuilder.ServiceThumbprint;
+
                 using var cts = new CancellationTokenSource();
                 var clientCountingService = clientAndBuilder.CreateAsyncClient<ICountingService, IAsyncClientCountingServiceWithOptions>(point =>
                 {
@@ -285,7 +294,7 @@ public async Task FailWhenPollingServicePresentsWrongCertificate(ClientAndServic
 
                 // Interestingly the message exchange error is logged to a non polling looking URL, perhaps because it has not been identified?
                 Wait.UntilActionSucceeds(() => { AllLogs(serviceLoggers).Select(l => l.FormattedMessage).ToArray()
-                        .Should().Contain(s => s.Contains("and attempted a message exchange, but it presented a client certificate with the thumbprint '4098EC3A2FC2B92B97339D3831BA230CC1DD590F' which is not in the list of thumbprints that we trust")); },
+                        .Should().Contain(s => s.Contains($"and attempted a message exchange, but it presented a client certificate with the thumbprint '{serviceThumbprint}' which is not in the list of thumbprints that we trust")); },
                     TimeSpan.FromSeconds(10),
                     Logger,
                     CancellationToken);