Fix DotNettySslSetup being ignored when HOCON has valid SSL config (#7918) (#7919)

Aaronontheweb · web-flow · commit 1e8d6068cf2a · 2025-10-22T16:50:13.000-05:00
* Add failing test to expose DotNettySslSetup override bug (#7917) Added test case that demonstrates DotNettySslSetup settings being ignored when HOCON has valid certificate configuration. The test configures: - HOCON with valid certificate path and settings - DotNettySslSetup with different certificate and settings Expected: DotNettySslSetup should take precedence (programmatic over config) Actual: HOCON certificate is used, DotNettySslSetup is completely ignored The bug occurs because CreateOrDefault() tries HOCON first and only uses the programmatic setup as an exception fallback. This test fails and will pass once the fix is applied to make programmatic setup take precedence. Existing tests didn't catch this because they only test the exception-based fallback path (HOCON with enable-ssl=true but no certificate path). * Fix DotNettySslSetup being ignored when HOCON has valid SSL config (#7917) Changed SSL settings initialization to prioritize programmatic DotNettySslSetup over HOCON configuration, fixing the precedence order bug. Changes: - Modified DotNettyTransportSettings.Create() to check sslSettings (from DotNettySslSetup) first before parsing HOCON configuration - Changed SslSettings.Create() from private to internal to enable direct usage - Previous behavior: HOCON always tried first, programmatic setup only used as exception fallback - New behavior: Programmatic setup takes precedence, HOCON used if not provided This ensures programmatic configuration properly overrides HOCON defaults, which is the expected behavior for Setup-based configuration in Akka.NET. The bug existed since DotNettySslSetup was introduced in July 2023 (commit 588d5d6). Existing tests passed only because they triggered the exception-based fallback path (HOCON with enable-ssl=true but no certificate path).
diff --git a/src/core/Akka.Remote.Tests/Transport/DotNettySslSetupSpec.cs b/src/core/Akka.Remote.Tests/Transport/DotNettySslSetupSpec.cs
@@ -195,6 +195,58 @@ public void Four_parameter_setup_should_configure_transport_settings_with_all_va
             Assert.True(settings.Ssl.ValidateCertificateHostname); // explicitly set to true
         }
 
+        [Fact(DisplayName = "DotNettySslSetup should override HOCON certificate configuration (Bug #7917)")]
+        public void DotNettySslSetup_should_override_HOCON_certificate()
+        {
+            // This test exposes the bug where HOCON certificate wins over DotNettySslSetup
+            // when HOCON has valid certificate configuration
+
+            // HOCON certificate
+            const string hoconCertPath = "Resources/akka-validcert.pfx";
+            var hoconCert = new X509Certificate2(hoconCertPath, Password, X509KeyStorageFlags.DefaultKeySet);
+
+            // Programmatic setup certificate (different from HOCON)
+            const string setupCertPath = "Resources/akka-client-cert.pfx";
+            var setupCert = new X509Certificate2(setupCertPath, Password, X509KeyStorageFlags.DefaultKeySet);
+
+            var sslSetup = new DotNettySslSetup(setupCert, suppressValidation: true, requireMutualAuthentication: false, validateCertificateHostname: true);
+
+            var actorSystemSetup = ActorSystemSetup.Empty
+                .And(BootstrapSetup.Create().WithConfig(ConfigurationFactory.ParseString($@"
+akka {{
+  actor.provider = ""Akka.Remote.RemoteActorRefProvider,Akka.Remote""
+  remote.dot-netty.tcp {{
+    port = 0
+    hostname = ""127.0.0.1""
+    enable-ssl = true
+    ssl {{
+      certificate {{
+        path = ""{hoconCertPath}""
+        password = ""{Password}""
+      }}
+      suppress-validation = false
+      require-mutual-authentication = true
+      validate-certificate-hostname = false
+    }}
+  }}
+}}")))
+                .And(sslSetup);
+
+            using var sys = ActorSystem.Create("test", actorSystemSetup);
+
+            // Verify that DotNettyTransportSettings.Create uses the setup correctly
+            var settings = DotNettyTransportSettings.Create(sys);
+
+            Assert.True(settings.EnableSsl);
+
+            // BUG: DotNettySslSetup should take precedence over HOCON, but currently HOCON wins
+            // because CreateOrDefault tries HOCON first, and only uses the setup as an exception fallback
+            Assert.Equal(setupCert.Thumbprint, settings.Ssl.Certificate.Thumbprint); // Should be setupCert, not hoconCert
+            Assert.True(settings.Ssl.SuppressValidation); // From DotNettySslSetup
+            Assert.False(settings.Ssl.RequireMutualAuthentication); // From DotNettySslSetup, not HOCON
+            Assert.True(settings.Ssl.ValidateCertificateHostname); // From DotNettySslSetup, not HOCON
+        }
+
         #region helper classes / methods
 
         protected override void AfterAll()
diff --git a/src/core/Akka.Remote/Transport/DotNetty/DotNettyTransportSettings.cs b/src/core/Akka.Remote/Transport/DotNetty/DotNettyTransportSettings.cs
@@ -203,7 +203,7 @@ public static DotNettyTransportSettings Create(Config config, SslSettings? sslSe
                 ServerSocketWorkerPoolSize: ComputeWorkerPoolSize(config.GetConfig("server-socket-worker-pool")),
                 ClientSocketWorkerPoolSize: ComputeWorkerPoolSize(config.GetConfig("client-socket-worker-pool")),
                 MaxFrameSize: ToNullableInt(config.GetByteSize("maximum-frame-size", null)) ?? 128000,
-                Ssl: enableSsl ? SslSettings.CreateOrDefault(config.GetConfig("ssl"), sslSettings) : SslSettings.Empty,
+                Ssl: enableSsl ? (sslSettings ?? SslSettings.Create(config.GetConfig("ssl"))) : SslSettings.Empty,
                 DnsUseIpv6: config.GetBoolean("dns-use-ipv6"),
                 TcpReuseAddr: ResolveTcpReuseAddrOption(config.GetString("tcp-reuse-addr", "off-for-windows")),
                 TcpKeepAlive: config.GetBoolean("tcp-keepalive", true),
@@ -266,7 +266,7 @@ public static SslSettings CreateOrDefault(Config config, SslSettings? @default =
             }
         }
 
-        private static SslSettings Create(Config config)
+        internal static SslSettings Create(Config config)
         {
             if (config.IsNullOrEmpty())
                 throw new ConfigurationException($"Failed to create {typeof(DotNettyTransportSettings)}: DotNetty SSL HOCON config was not found (default path: `akka.remote.dot-netty.tcp.ssl`)");

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ public static DotNettyTransportSettings Create(Config config, SslSettings? sslSe`
`203`	`203`	`ServerSocketWorkerPoolSize: ComputeWorkerPoolSize(config.GetConfig("server-socket-worker-pool")),`
`204`	`204`	`ClientSocketWorkerPoolSize: ComputeWorkerPoolSize(config.GetConfig("client-socket-worker-pool")),`
`205`	`205`	`MaxFrameSize: ToNullableInt(config.GetByteSize("maximum-frame-size", null)) ?? 128000,`
`206`		`- Ssl: enableSsl ? SslSettings.CreateOrDefault(config.GetConfig("ssl"), sslSettings) : SslSettings.Empty,`
	`206`	`+ Ssl: enableSsl ? (sslSettings ?? SslSettings.Create(config.GetConfig("ssl"))) : SslSettings.Empty,`
`207`	`207`	`DnsUseIpv6: config.GetBoolean("dns-use-ipv6"),`
`208`	`208`	`TcpReuseAddr: ResolveTcpReuseAddrOption(config.GetString("tcp-reuse-addr", "off-for-windows")),`
`209`	`209`	`TcpKeepAlive: config.GetBoolean("tcp-keepalive", true),`
`@@ -266,7 +266,7 @@ public static SslSettings CreateOrDefault(Config config, SslSettings? @default =`
`266`	`266`	`}`
`267`	`267`	`}`
`268`	`268`
`269`		`- private static SslSettings Create(Config config)`
	`269`	`+ internal static SslSettings Create(Config config)`
`270`	`270`	`{`
`271`	`271`	`if (config.IsNullOrEmpty())`
`272`	`272`	throw new ConfigurationException($"Failed to create {typeof(DotNettyTransportSettings)}: DotNetty SSL HOCON config was not found (default path: `akka.remote.dot-netty.tcp.ssl`)");