-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY when clean webapi template #14350
Comments
Well this isn't an official solution or anything, but what worked for me when upgrading an existing .net core 2.2 project to .net core 3 was make a new .net core 3 mvc project. Right click the project, choose manage user secrets, copy the user secrets, paste those user secrets over top of my existing user secrets. |
This is not an issue with an existing project, it happens with a clean template of a newly create webapi project, and I assume it should be able to work out of the box without any re-configuration |
I have the same problem on 3.0, with a blank web project and a freshly created certificate, on Windows 8.1. /cc @Tratcher If it helps, these are the details of the generated certificate:
For SEO purposes: On Firefox, the error is |
@poke and i did some investigations. Looks like his machine chooses to use |
I believe you need to update the dev-cert on the machine. Run If that doesn't work, let us know and try You should use the 3.0 version of the tool just to be sure (I think we patched something like this in 2.2 or 2.1, but I'm not sure). /cc @anurse |
That’s exactly what I did in the first place. So yeah, that doesn’t help :/ Tell me if you need any additional information. |
@javiercn Yeah, the 3.0 SDK release version from yesterday.
Sure, here you go. |
@poke On Win8.1 you should disable HTTP/2 or manually adjust your ciphers. The default cipher list doesn't work for Http/2 as you've noticed. We weren't immediately concerned about Win8.1 because you're one of the only people still using it 😁 (< 5% usage). Win7 clients aren't affected because they don't support ALPN. @hristijankiko's issue is something else. |
@Tratcher Heh, I’m not using it by total choice (upgrading the work machine is a major PITA; it is planned but I need a lot of time for that). Can I adjust the ciphers of Windows without modifying the application? I would like to avoid having to add code to the application just to work around my machine-specific issue. I guess I could also adjust my user secrets to override the Kestrel settings there (disabling HTTP/2) 🤔 |
Windows ciphers can only be adjusted in the registry. Disabling HTTP2 in config is easier. Here's an example that disables HTTP/1.1. |
Hmm, restricting it to HTTP/1 only resolved the problem in Chrome. Firefox still raises this error:
|
@javiercn is this related to firefox using its own cert store, |
@Tratcher very likely. I’ve never been able to make a self-signed cert work on Firefox |
That's a major gap in our doc coverage then. |
@Tratcher on a second look I don’t think that’s the issue. I don’t believe we have a critical security extension that is not standard |
Firefox has its own certificate store, yes, but if you visit a site with a self-signed certificate, you would usually get some error like I’m back home now and have a Windows 10 machine to test this, and I do get the same error on Firefox here. Interestingly, I did not refresh the dev certificate, so I am still using one that was generated somewhen in July (probably some 2.2.x). When I create a blank Razor app ( However, when I create the same thing on 2.2.401 (using a Let me know what I should do to give you more debugging information. |
If you didn't refresh the cert after 2.2 then it's probably the known issue that requires cert regeneration. The cert generated in 2.2 was broken by a Windows update, not by 3.0. If you are running on a recent version of Windows (even if you're using 2.2) you need to update the dev cert to the 3.0 version. You can either do this with the 3.0 SDK (and continue using 2.2) or by generating/exporting a cert on a machine that does have 3.0 and importing it on your Windows 10 machine. Regardless, @poke, if you still have a concern I think it's appropriate to move to a separate issue. It may end up being related but there are a few different things getting tangled up here. @hristijankiko can you export your ASP.NET Core development certificate and share it with us? Running the 3.0 dev cert |
@anurse I have tried cleaning the certificates manually and using the dotnet command line tools then generating new ones but both did not seem to have an effect. This is my certificate details obtained using export from "Manage User Certificates" > Personal using certutil -v -dump
And this is the one from "Trusted Root Certification Authorities"
|
🤔 This is the our "Extension" in the certificate that indicates the version and the value ( I think the next thing to check is that this certificate is precisely the one Kestrel is selecting. Perhaps there's an issue with the selection logic. Are there any other certificates in your stores for the subject name Here's an example of the certificate manager UI from my machine: It would also be useful to confirm what certificate the browser is receiving (you can usually do this through the dev tools) and compare the thumbprint of the certificate the browser has with the ones in the cert store to identify which one is in use. |
Sorry for the late reply @anurse , I was out of office until today. I checked the certificate that gets received by the browser and it seems to be the correct one. I do not have IIS certificate under Personal Certificates and I only have the .NET Core one. Under Please let me know if you need any additional information |
@hristijankiko That certificate info dialog looks like the Firefox one, and Firefox doesn't normally participate in the Windows cert store. Can you clarify which browsers are showing which error? As far as we're aware, the |
@anurse I used Firefox just to get the certificate which is used for the connection because in Chrome (And in Firefox it was only shown the first time, as once you proceed it goes directly to the error page and skips the warning page), it is not shown in the dev tools, but regardless of which browser I use the error is same. |
@anurse Sent |
Hrm, I haven't received anything yet (and I would expect to get it within this time window). |
I ran into the same problem "This site can't be reached" with the same error "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" when using Windows 8.1 Enterprise. Setting the Kestrel Protocol to "Http1" in the appsettings solved the issue on Chrome, but Firefox still doesn't recognize the self-signed cert, I don't mind since it opens the web app normally after ignoring the warning.
Thank you! |
This disables HTTP/2, and the "INADEQUATE_TRANSPORT_SECURITY" issue is an HTTP/2-specific issue, so while that works, it's not really a solution.
This is an unrelated issue. Our dev cert process doesn't install the cert into the Firefox store (Firefox uses a different certificate store from Windows), so it's expected that it's not trusted until you explicitly trust it. |
OK, I see now that hristijankiko's issue is happening in W10, but for W8.1 users the only options are to either disable HTTP/2 or manually set the TLS ciphers (which I can't do on this machine right now). And since I'm running a web server with WServer 2012 R2 I won't even be able to use HTTP/2 anyway, so I'm disabling it until I get an upgrade (and I know that won't happen soon). My main concern is that this is not mentioned in the tutorial, so as I was following it I couldn't even get through the "Get Started" part of the MVC section without running into this problem (I know very few people are still on W8.1 but we are on "extended support"). I know it's a different problem, but those two answers by Tratcher helped me to get the template running, I only need to remember to enable HTTP/2 when deploying the app to a new server, or just move to a Linux VM for dev and prod. |
@anurse This is the email I sent it to. Could it be a security thing or maybe it went to junk folder or something? |
I bet it was suppressed due to the file extensions being considered unsafe. I'd suggest either a) sending a download link from OneDrive/DropBox/Google Drive/etc.-like service or b) renaming the files to have different file extensions. |
@anurse Emailed through a Dropbox link |
Hey, O/S: Win 10 Enterprise I seem to have this issue after updating to .net core 3.0 but slightly different variation. But thought I'd just mention my experience in case it gives clue to where the problem maybe. On updating, I was asked to re-install the local certs, so I did for my .net core webapi. I then try to visit an endpoint in the browser directly and sure enough, says NET::ERR_CERT_AUTHORITY_INVALID. On reading this thread, I double checked the cert being served, and it's a certificate I cannot find anywhere on my machine. I have deleted all my localhost certs from the certificate console, reinstalled new ones etc several times, but the browser is always serving an old cert. Now, here's where I get confused. I load up another WebApi project mine that's still dotnet 2.2, and in the same browser session, go visit an API endpoint and it picks up the new certs perfectly fine and it all works. Swapping the projects back again and hitting an identical endpoint e.g . https://localhost:5001/api/system/info is in both projects, the .net 3.0 gives me invalid cert again! Like I say, this is slightly different to the OP as he seems to getting the correct cert and still having this issue |
@codecoded are you using containers for any of this? The dev cert gets copied to temp locations accessible from containers. |
To circle back to the original issue. @hristijankiko sent us some great details (including a Wireshark trace that was very helpful). We identified that the server was selecting a cipher suite on the HTTP/2 block-list due to "inadequate security". It turns out this was a machine-level configuration issue caused by upgrading from earlier Windows versions. The fix was to manually configure the TLS cipher suites to match the new Windows 10 defaults (see https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903). It's curious that this was necessary even though @hristijankiko was using Windows 10 v1903 but we will check in on this internall. No further action on the original issue is needed in ASP.NET Core.
@codecoded It's much better to just post a new issue even if it seems related. Let us handle the process of marking it as a duplicate ;). Unless you're very confident it's the same cause, go ahead and create a new issue, we don't mind a little duplication and it's easier for us to keep separate issues separate. I'm going to close this as the original issue is resolved, please move discussions of other issues to new threads. |
WOW! What a thread! I'm doing this in development for an angular app. So if your config look anything like mine all I did to get it working was add the
|
What's the chance of getting a Windows hotfix for this? The cipher suite declarations in these OSes are essentially corrupted. |
@jhudsoncedaron you'll need to contact Microsoft Support about that. |
Actually, we traced it further and found that generally it's IT policies setting these incorrect TLS suite orders. Upgrades should work fine. If you're seeing this incorrect Cipher Suite ordering (i.e. not matching the list in https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903) please check with your IT administrators (if any) first to see if they've modified them. If you see this incorrect ordering but don't have any IT policies in place, then contact Microsoft Support. And finally, if you see correct cipher suite ordering but are still having trouble with ASP.NET Core (or if you have other questions) please feel free to open a new bug! |
I'm interested in this, I have a machine on a (very nearly) clean 2016 domain in a lab and am experiencing the same problem, also on v1903. First the list was unset, so I set it to the defaults, no go. Considering this is failing on a default I'm kind of worried to even touch it. |
@anurse : Observed on out-of-the-box Windows Server 2012 R2 with no policy pushed to it. |
@jhudsoncedaron Is that as the client or server? 2012 R2 pre-dates Win10 and direct Http/2 support. It can be made to work by tweaking the ciphers list. |
@Tratcher : It's on the server, and causes complete failure of the Kestrel server on https with a default Kestrel configuration. We didn't actually check but we're reasonably certain the |
Yeah, in hindsight Kestrel shouldn't have enabled HTTP/2 by default on 2012 R2, only on 2016 and Win10. @anurse that still might be worth changing since it's hard to make work out of the box. I'll open a specific issue for it. |
@Tratcher : I'd like to know how you plan to work around the fact that Environment.OSVersion returns the wrong value. In our debate we came up with checking for the presence of the |
Environment.OSVersion returns the correct version if you enable Win10 support in the manifest. |
@Tratcher : I am aware of that. The default project template does not set that manifest parameter. The primary difficulty involved is when a library (rather than an executable) has to care, and Kestrel is a library. |
@jhudsoncedaron good point. Moving this part of the discussion to #16811. |
Describe the bug
A clear and concise description of what the bug is.
When https is used chrome and other browsers error out with
ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
when the api is accessed.To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
The api should be available through https as is through http.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Generating new https certificates did not help(
dotnet dev-certs https --clean
anddotnet dev-certs https --trust
)..NET Core SDK (reflecting any global.json):
Version: 3.0.100
Commit: 04339c3a26
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18362
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\3.0.100\
Host (useful for support):
Version: 3.0.0
Commit: 7d57652f33
.NET Core SDKs installed:
2.1.4 [C:\Program Files\dotnet\sdk]
2.1.201 [C:\Program Files\dotnet\sdk]
2.1.202 [C:\Program Files\dotnet\sdk]
2.1.302 [C:\Program Files\dotnet\sdk]
2.1.504 [C:\Program Files\dotnet\sdk]
2.1.600-preview-009472 [C:\Program Files\dotnet\sdk]
2.1.600 [C:\Program Files\dotnet\sdk]
2.1.601 [C:\Program Files\dotnet\sdk]
2.1.602 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009597 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009601 [C:\Program Files\dotnet\sdk]
2.1.700-preview-009618 [C:\Program Files\dotnet\sdk]
2.1.700 [C:\Program Files\dotnet\sdk]
2.1.800-preview-009677 [C:\Program Files\dotnet\sdk]
2.1.801 [C:\Program Files\dotnet\sdk]
2.1.802 [C:\Program Files\dotnet\sdk]
3.0.100 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0-rc1-19456-20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
The text was updated successfully, but these errors were encountered: