Fix BadCustomCertificatePerRequestWinsApiTests on older 5.x versions

Looks like Elasticsearch versions < 5.2.0 exhibit different behaviour when a bad client certificate is supplied

(cherry picked from commit 199fef0)

Author: russcam

src/Tests/ClientConcepts/Certificates/WorkingWithCertificates.doc.cs

@@ -16,29 +16,36 @@ namespace Tests.ClientConcepts.Certificates
 	 *
 	 * === Server Certificates
 	 *
-	 * If you've enabled SSL on elasticsearch with x-pack or through a proxy in front of elasticsearch and the Certificate Authority (CA)
+	 * If you've enabled SSL on Elasticsearch with x-pack or through a proxy in front of elasticsearch and the Certificate Authority (CA)
 	 * That generated the certificate is trusted by the machine running the client code there should be nothing you'll have to do to to talk
 	 * to over https with the client. If you are using your own CA which is not trusted .NET won't allow you to make https calls to that endpoint.
 	 *
-	 * .NET allows you to preempt this though through a custom validation through the the global static `ServicePointManager.ServerCertificateValidationCallback`.
+	 * In .NET, you can preempt this though through a custom validation through the the global static `ServicePointManager.ServerCertificateValidationCallback`.
 	 * Most examples you will find on the .NET will simply return `true` from this delegate and call it quits. This is not advisable as this will allow any HTTPS
 	 * traffic in the current AppDomain and not run any validations. Imagine you deploy a web app that talks to Elasticsearch over HTTPS but also some third party
-	 * SOAP/WSDL endpoint setting `ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true;` will skip validation of BOTH
-	 * Elasticsearch and that external web service.
-
-	 * .NET also allows you to set that callback per service endpoint and Elasticsearch.NET/NEST exposes this through connection settings.
-	 * You can do your own validation in that handler or simply assign baked in handler that we ship with out of the box on the static
-	 * class `CertificateValidations`.
+	 * SOAP/WSDL endpoint setting 
+     * 
+     * [source,csharp]
+     * ----
+     * ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, errors) => true; 
+     * ----
+     * 
+     * will skip validation for *both* Elasticsearch *and* that external web service.
+     * 
+	 * You can also set a callback per service endpoint with .NET, and Elasticsearch.NET/NEST exposes this through the
+     * connection settings; You can do your own validation in that handler or simply assign one of the baked in handlers 
+     * that we ship with out of the box, on the static class `CertificateValidations`.
 	 *
-	 * The two most basic ones are `AllowAll` and `DenyAll` which does accept or deny any ssl trafic to our nodes`:
+	 * The two most basic ones are `AllowAll` and `DenyAll`, which accept or deny any SSL traffic to our nodes, respectively
 	 *
 	 */
 	public class DenyAllCertificatesCluster : SslAndKpiXPackCluster
 	{
 		protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s
 			.ServerCertificateValidationCallback((o, certificate, chain, errors) => false)
-			.ServerCertificateValidationCallback(CertificateValidations.DenyAll);
+			.ServerCertificateValidationCallback(CertificateValidations.DenyAll); // <1> synonymous with the previous delegate
 	}
+
 	//hide
 	[IntegrationOnly]
 	public class DenyAllSslCertificatesApiTests : ConnectionErrorTestBase<DenyAllCertificatesCluster>
@@ -56,8 +63,9 @@ public class AllowAllCertificatesCluster : SslAndKpiXPackCluster
 	{
 		protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s
 			.ServerCertificateValidationCallback((o, certificate, chain, errors) => true)
-			.ServerCertificateValidationCallback(CertificateValidations.AllowAll);
-	}
+			.ServerCertificateValidationCallback(CertificateValidations.AllowAll); // <1> synonymous with the previous delegate
+    }
+
 	//hide
 	[IntegrationOnly]
 	public class AllowAllSslCertificatesApiTests : CanConnectTestBase<AllowAllCertificatesCluster>
@@ -66,15 +74,15 @@ public AllowAllSslCertificatesApiTests(AllowAllCertificatesCluster cluster, Endp
 		[I] public async Task UsedHttps() => await AssertOnAllResponses(r => r.ApiCall.Uri.Scheme.Should().Be("https"));
 	}
 
-	/**
-	 * If your client application however has access to the public CA certificate locally Elasticsearch.NET/NEST ships with handy helpers that assert
-	 * that the certificate that the server presented was one that came from our local CA certificate. If you use x-pack's `certgen` tool to
-	 * [generate SSL certificates](https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html) the generated node certificate does not include the CA in the
+    /**
+	 * If your client application however has access to the public CA certificate locally, Elasticsearch.NET/NEST ships with handy helpers that assert
+	 * that the certificate that the server presented was one that came from our local CA certificate. If you use X-Pack's `certgen` tool to
+	 * {xpack_current}/ssl-tls.html[generate SSL certificates], the generated node certificate does not include the CA in the
 	 * certificate chain. This to cut back on SSL handshake size. In those case you can use `CertificateValidations.AuthorityIsRoot` and pass it your local copy
 	 * of the CA public key to assert that the certificate the server presented was generated off that.
 	 */
 
-	public class CertgenCaCluster : SslAndKpiXPackCluster
+    public class CertgenCaCluster : SslAndKpiXPackCluster
 	{
 		protected override ConnectionSettings ConnectionSettings(ConnectionSettings s) => s
 			.ServerCertificateValidationCallback(
@@ -114,18 +122,19 @@ protected override void AssertException(WebException e) =>
 		protected override void AssertException(HttpRequestException e) { }
 
 	}
-	/**
+    /**
 	 * If you go for a vendor generated SSL certificate its common practice for them to include the CA and any intermediary CA's in the certificate chain
 	 * in those case use `CertificateValidations.AuthorityPartOfChain` which validates that the local CA certificate is part of that chain and was used to
 	 * generate the servers key.
 	 */
 
 #if !DOTNETCORE
-	/**
+    /**
 	 * === Client Certificates
-	 * X-Pack also allows you to configure a [PKI realm](https://www.elastic.co/guide/en/x-pack/current/pki-realm.html) to enable user authentication
+     * 
+	 * X-Pack also allows you to configure a {xpack_current}/pki-realm.html[PKI realm] to enable user authentication
 	 * through client certificates. The `certgen` tool included with X-Pack allows you to
-	 * [generate client certificates as well](https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html#CO13-4) and assign the distinguished name (DN) of the
+	 * {xpack_current}/ssl-tls.html#CO13-4[generate client certificates as well] and assign the distinguished name (DN) of the
 	 * certificate as a user with a certain role.
 	 *
 	 * certgen by default only generates a public certificate (`.cer`) and a private key `.key`. To authenticate with client certificates you need to present both
@@ -138,10 +147,9 @@ protected override void AssertException(HttpRequestException e) { }
 	 * You can set Client Certificates to use on all connections on `ConnectionSettings`
 
 	 */
-	public class PkiCluster : CertgenCaCluster
+    public class PkiCluster : CertgenCaCluster
 	{
 		public override ConnectionSettings Authenticate(ConnectionSettings s) => s
-			//.ClientCertificate(this.Node.FileSystem.ClientCertificate);
 			.ClientCertificate(
 				ClientCertificate.LoadWithPrivateKey(this.Node.FileSystem.ClientCertificate, this.Node.FileSystem.ClientPrivateKey, "")
 			);
@@ -152,6 +160,7 @@ public override ConnectionSettings Authenticate(ConnectionSettings s) => s
 			"xpack.security.http.ssl.client_authentication=required"
 		}).ToArray();
 	}
+
 	//hide
 	[IntegrationOnly]
 	public class PkiApiTests : CanConnectTestBase<PkiCluster>
@@ -170,26 +179,33 @@ public class BadCustomCertificatePerRequestWinsApiTests : ConnectionErrorTestBas
 		public BadCustomCertificatePerRequestWinsApiTests(BadPkiCluster cluster, EndpointUsage usage) : base(cluster, usage) { }
 		[I] public async Task UsedHttps() => await AssertOnAllResponses(r => r.ApiCall.Uri.Scheme.Should().Be("https"));
 
-		private string BadCertificate => this.Cluster.Node.FileSystem.ClientCertificate;
+        // a bad certificate
+		private string Certificate => this.Cluster.Node.FileSystem.ClientCertificate;
 
 		protected override RootNodeInfoRequest Initializer => new RootNodeInfoRequest
 		{
 			RequestConfiguration = new RequestConfiguration
 			{
-				ClientCertificates = new X509Certificate2Collection { new X509Certificate2(this.BadCertificate) }
+				ClientCertificates = new X509Certificate2Collection { new X509Certificate2(this.Certificate) }
 			}
 		};
 
 		protected override Func<RootNodeInfoDescriptor, IRootNodeInfoRequest> Fluent => s => s
 			.RequestConfiguration(r => r
-				.ClientCertificate(this.BadCertificate)
-
+				.ClientCertificate(this.Certificate)
 			);
 
-		protected override void AssertException(WebException e) =>
-			e.Message.Should().Contain("Could not create SSL/TLS secure channel");
-
-		protected override void AssertException(HttpRequestException e) { }
+        // hide
+		protected override void AssertException(WebException e)
+	    {
+	        if (e.InnerException != null)
+	            e.InnerException.Message.Should()
+	                .Contain("Authentication failed because the remote party has closed the transport stream");
+	        else
+	            e.Message.Should().Contain("Could not create SSL/TLS secure channel");
+	    }
+
+	    protected override void AssertException(HttpRequestException e) { }
 
 	}
 #endif