New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ServerCertificateCustomValidationCallback throws PlatformNotSupportedException in CentOS.7-x64 #17045

Closed
deepumi opened this Issue Mar 13, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@deepumi

deepumi commented Mar 13, 2017

As @bartonjs suggested, I am creating a new issue for CentOS. #9728

When using ServerCertificateCustomValidationCallback in .Net Core 1.0.1 CentOS 7 64 bit Azure VM, I am getting the following error

System.PlatformNotSupportedException: The libcurl library in use (7.29.0) and its 
SSL backend ("NSS/3.19.1 Basic ECC") do not support custom handling of certificates. 
A libcurl built with OpenSSL is required.
 
 at System.Net.Http.CurlHandler.SslProvider.SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
   at System.Net.Http.CurlHandler.EasyRequest.InitializeCurl()
   at System.Net.Http.CurlHandler.MultiAgent.ActivateNewRequest(EasyRequest easy)


End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsync>d__58.MoveNext()

--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at hwapp.Program.<MakeWebRequest>d__1.MoveNext()

Sample code

static void Main(string[] args)
{
   MakeWebRequest().GetAwaiter().GetResult();
   Console.WriteLine("Press any key to exit!");
   Console.ReadKey();
}

private static async Task MakeWebRequest()
{
   var handler = new HttpClientHandler()
   {
     AllowAutoRedirect = false,
     AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip 
   };
  
   handler.ServerCertificateCustomValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

  try
  {
     using (var client = new HttpClient(handler))
     {
        var result = await client.GetAsync("https://www.google.com");
	Console.WriteLine(result.StatusCode.ToString());
     }
  }
  catch (Exception exception)
  {
    Console.WriteLine(exception.ToString());
  }
}
@stephentoub

This comment has been minimized.

Show comment
Hide comment
@stephentoub

stephentoub Mar 13, 2017

Member

The exception message describes the cause and the limitation and suggests the workaround:

The libcurl library in use (7.29.0) and its 
SSL backend ("NSS/3.19.1 Basic ECC") do not support custom handling of certificates. 
A libcurl built with OpenSSL is required.

Custom handling of certificates, e.g. ServerCertificateCustomValidationCallback, requires interaction with System.Security.Cryptography.X509Certificates, which is based on OpenSSL. Thus if libcurl is using a different SSL backend (in your case, NSS), this functionality won't work, because the certificate data won't be understood by the X509Certificates library. The workaround is to switch which libcurl you're using to one that uses OpenSSL.

Member

stephentoub commented Mar 13, 2017

The exception message describes the cause and the limitation and suggests the workaround:

The libcurl library in use (7.29.0) and its 
SSL backend ("NSS/3.19.1 Basic ECC") do not support custom handling of certificates. 
A libcurl built with OpenSSL is required.

Custom handling of certificates, e.g. ServerCertificateCustomValidationCallback, requires interaction with System.Security.Cryptography.X509Certificates, which is based on OpenSSL. Thus if libcurl is using a different SSL backend (in your case, NSS), this functionality won't work, because the certificate data won't be understood by the X509Certificates library. The workaround is to switch which libcurl you're using to one that uses OpenSSL.

@karelz karelz added this to the 2.0.0 milestone Mar 13, 2017

@karelz

This comment has been minimized.

Show comment
Hide comment
@karelz

karelz Mar 13, 2017

Member

Closing as by design - see answer above.

Member

karelz commented Mar 13, 2017

Closing as by design - see answer above.

@karelz karelz closed this Mar 13, 2017

@deepumi

This comment has been minimized.

Show comment
Hide comment
@deepumi

deepumi Mar 13, 2017

@stephentoub Do you have any documentation to deal the switch part.

The workaround is to switch which libcurl you're using to one that uses OpenSSL.

deepumi commented Mar 13, 2017

@stephentoub Do you have any documentation to deal the switch part.

The workaround is to switch which libcurl you're using to one that uses OpenSSL.

@deepumi

This comment has been minimized.

Show comment
Hide comment
@deepumi

deepumi Mar 13, 2017

Similar issue with PowerShell #2511.

deepumi commented Mar 13, 2017

Similar issue with PowerShell #2511.

@karelz

This comment has been minimized.

Show comment
Hide comment
@karelz

karelz Mar 13, 2017

Member

@Priya91 do you know if we have docs on that? If not, we should create issue to track adding it.

Member

karelz commented Mar 13, 2017

@Priya91 do you know if we have docs on that? If not, we should create issue to track adding it.

@deepumi

This comment has been minimized.

Show comment
Hide comment
@deepumi

deepumi Mar 16, 2017

@Priya91 @stephentoub @karelz Thank you all.

The issue has been resolved.

deepumi commented Mar 16, 2017

@Priya91 @stephentoub @karelz Thank you all.

The issue has been resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment