SignalR core client is not connecting to SignalR core hub over Https

[mrsaadabbasi]

I have created SignalR hub in asp.net core and deployed it on linux. I am using nginx as a reverse proxy server that is redirecting my request to dotnet core application that is hosted on Kestrel.

My SignalR clients are windows form applications. SignalR hub url is "/myhub". When my SignalR client access the hub on Http(http://myIPhere/myhub), it gets connected with hub, but when my client access https url(https://myIPhere/myhub) then it is not connecting.
Is there any issue of SSL? As I donot have Trusted certificate for my web Application (on which SignalR Hub is created) I have created local test certificate for my web application.

After watching outgoing requests in Fiddler i am getting "error:handshake was canceled" from the hub.

Following is my nginx configuration

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        include snippets/self-signed.conf;
        include snippets/ssl-params.conf;

        server_name myIP;

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        root /var/www/html;

        index index.html index.nginx-debian.html;
	    proxy_buffering off;
	    location / {
		proxy_pass http://myIP:5000;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection keep-alive;
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;
	}

[BrennanConroy]

SSL should work fine. Could you show the logs from server and client, preferably at the debug level?
https://docs.microsoft.com/aspnet/core/signalr/diagnostics?view=aspnetcore-2.2

[analogrelay]

As I donot have Trusted certificate for my web Application (on which SignalR Hub is created) I have created local test certificate for my web application.

You do need to configure the SignalR client to accept untrusted SSL certificates. Have you done this?

You need to change the WebSocket configuration and HttpClient configuration to accept your custom certificate by adding a custom certificate validate callback. Right now that's not trivial (we should improve this, I filed #14427). You can use the HttpMessageHandlerFactory and WebSocketConfiguration properties to modify configuration here.

_connection = new HubConnectionBuilder()
    .WithUrl(_hubRoot, options =>
    {
        // Register the custom handler above and also configure WebSockets
        options.HttpMessageHandlerFactory = handler =>
        {
            if (handler is HttpClientHandler clientHandler)
            {
                clientHandler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>
                { 
                    // Validate the cert here and return true if it's correct.
                    // If this is a development app, you could just return true always
                    // In production you should ALWAYS either use a trusted cert or check the thumbprint of the cert matches one you expect.
               }
            }
            return handler;
        };
        options.WebSocketConfiguration = sockets =>
        {
            sockets.RemoteCertificateValidationCallback = (sender, certificate, chain, policyErrors) =>
            {
                // You have to repeat your cert validation code here. Feel free to use a helper method!
            });
        };
    })
    .Build();

Let us know if that resolves the issue. If not, we can investigate further.

[analogrelay]

Closing this as we haven't heard from you and generally close issues with no response after some time. Please feel free to comment if you're able to get the information we're looking for and we can reopen the issue to investigate further!

[Sarsue]

Hello I have the same issue and tried to implement the suggested fix this is the error I get.

'ClientWebSocketOptions' does not contain a definition for 'RemoteCertificateValidationCallback' and no accessible extension method 'RemoteCertificateValidationCallback' accepting a first argument of type 'ClientWebSocketOptions' could be found (are you missing a using directive or an assembly reference?)

[analogrelay]

The RemoteCertificateValidationCallback API is currently only available in .NET Core (https://apisof.net/catalog/System.Net.WebSockets.ClientWebSocketOptions.RemoteCertificateValidationCallback). If you're not running on .NET Core, you won't be able to configure this option.