The handler does not support client authentication certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20")

[mayconbeserra]

I'm having an issue when calling an endpoint with the following code, and I don't know what can solve that critical issue on mac:

var handler = new HttpClientHandler();
handler.ClientCertificates.Add(cert);
var client = new HttpClient(handler);
var result = await client.GetAsync(url);

The error is below:

System.PlatformNotSupportedException: The handler does not support client authentication certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20").
   at System.Net.Http.CurlHandler.SslProvider.SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
   at System.Net.Http.CurlHandler.EasyRequest.InitializeCurl()
   at System.Net.Http.CurlHandler.MultiAgent.ActivateNewRequest(EasyRequest easy)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

curl --version

curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

dotnet info

.NET Command Line Tools (2.1.4)

Product Information:
 Version:            2.1.4
 Commit SHA-1 hash:  5e8add2190

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.13
 OS Platform: Darwin
 RID:         osx.10.12-x64
 Base Path:   /usr/local/share/dotnet/sdk/2.1.4/

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.5
  Build    : 17373eb129b3b05aa18ece963f8795d65ef8ea54

[karelz]

This is a known limitation of our current stack. The only workaround is to use OpenSSL/1.0-backed libcurl.
In future, we plan to roll out ManagedHandler (SocketsHttpHandler) which will not suffer from this problem.

[karelz]

cc @wfurt for Mac instructions to get the right libcurl.

[wfurt]

no, that won't work either @karelz this is essentially dup of https://github.com/dotnet/corefx/issues/26446 and https://github.com/dotnet/corefx/issues/19718 will fix this.

[mayconbeserra]

hmmmm..... is there any workaround for that? basically, I have a bunch of APIs to call and I need to use certificates. It'd be awesome to hack this and make it work in my local environment.

brew install curl --with-openssl
brew link --force curl
export DYLD_LIBRARY_PATH=/usr/local/lib/

I have also tried the suggestion from Stephan in https://github.com/dotnet/corefx/issues/9728#issuecomment-234418291

However, it didn't work

Any workarounds and thoughts would be welcome

[mayconbeserra]

@wfurt @karelz

I've upgraded my curl and now it's:

curl --version

curl 7.58.0 (x86_64-apple-darwin17.4.0) libcurl/7.58.0 OpenSSL/1.0.2n zlib/1.2.11
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

Error after updating curl:
System.PlatformNotSupportedException: The handler does not support client authentication certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20")

I managed to change the curl version to be 7.58, but .NET Core 2 is still using 7.54.

Is there any way to my current .NET Core installation to use the new version of LibCurl and OpenSSL?

Why is it getting the old version of curl?

[jrr]

@mayconbeserra I suspect you're not getting libcurl 7.58 on your loader path. I'm able to get it with e.g. DYLD_LIBRARY_PATH=/usr/local/opt/curl/lib dotnet run.

That doesn't fix the issue, though:

Unhandled Exception: System.PlatformNotSupportedException: The handler does not support client authentication certificates with this combination of libcurl (7.58.0) and its SSL backend ("OpenSSL/1.0.2n").

[karelz]

I did more digging and unfortunately the story is currently weird.

If you need to just skip client certificates on your dev environment (Mac) for developer-only! purposes, then you can use DangerousAcceptAnyServerCertificateValidator - that should work with any Libcurl combo.
If you truly need custom client certificates support on Mac, then unfortunately neither libuclr+OpenSSL10 won't help as we switched to Apple native crypto APIs in 2.0 (#19718 is not implemented). Given #21679 cost (non-trivial), we recommend to rely on SocketsHttpHandler (aka ManagedHandler) in 2.1 (likely as opt-in) to work around the problem.

Please let me know if the first dev-only workaround works for you.
Overall we should close this issue as duplicate of #24726, unless there is evidence this problem is different. Thanks!

[mayconbeserra]

Thanks @karelz , unfortunately it doesn't with DangerousAcceptAnyServerCertificateValidator. I applied the suggestion from @jrr and I managed to call use libcurl+openSSL10, but as you mentioned, it won't work.

When is .NET Core 2.1 going to be available? Is there a preview to download right now?

[karelz]

@mayconbeserra can you please paste a code showing what exactly doesn't work with DangerousAcceptAnyServerCertificateValidator? We might need to dig into that if that's true.

.NET Core 2.1 official timeline is here: https://github.com/dotnet/core/blob/master/roadmap.md#upcoming-ship-dates
Preview should be out soon-ish.

[mayconbeserra]

@karelz the code is:

var handler = new HttpClientHandler();

handler.ServerCertificateCustomValidationCallback = System.Net.Http.HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
handler.ClientCertificates.Add(cert);

var client = new HttpClient(handler);
var result = await client.GetAsync(url);

is that correct?

[karelz]

Just to clarify: Your server requires client certificate to be sent? (the ServerCertificateCustomValidationCallback will only take care of ignoring server certificate)
If that's the case, you can't use OSX in that scenario until 2.1 with SocketsHttpHandler.

[davidsh]

.NET Core 2.1 RC1 has been released. It is suitable for use in production environments. The default HTTP stack is no longer based on Curl (for Linux). It will use the new managed implementation (SocketsHttpHandler).

See:
https://blogs.msdn.microsoft.com/dotnet/2018/05/07/announcing-net-core-2-1-rc-1/

If you use .NET Core 2.1, then your problem with client certificates should be solved. Closing this issue. Let us know if you have other problems after upgrading to 2.1. If so, please open a new issue for

[detaybey]

upgraded to RC1, sadly I am having the same issue.
macOS High Sierra 10.13.4
dotnet --version => 2.1.300-rc1-008673

The handler does not support custom handling of certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20")

[stephentoub]

@detaybey, either you're not actually using rc1, or you've explicitly opted via an environment variable or app context switch to not use the default handler, as that error message is only possible when opting out of the default.

[davidsh]

@detaybey
Can you add this line of code to your project? It will print out what the .NET Core binary path is. That will confirm whether you are using 2.0 or 2.1-rc1 etc.

Console.WriteLine($"(Framework: {Path.GetDirectoryName(typeof(object).Assembly.Location)})");

[mbalsam]

Got the same thing:

The handler does not support custom handling of certificates with this combination of libcurl (7.54.0) and its SSL backend ("LibreSSL/2.0.20").

I added the path.GetDirectoryName and it shows

/usr/local/share/dotnet/shared/Microsoft.NETCore.App/2.0.5

dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 2.1.300-rc1-008673
Commit: f5e3ddbe73

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.13
OS Platform: Darwin
RID: osx.10.13-x64
Base Path: /usr/local/share/dotnet/sdk/2.1.300-rc1-008673/

Host (useful for support):
Version: 2.1.0-rc1
Commit: eb9bc92051

.NET Core SDKs installed:
2.1.4 [/usr/local/share/dotnet/sdk]
2.1.300-rc1-008673 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.0-rc1-final [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.0-rc1-final [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.0.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.0-rc1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download

One note: This code was compiled on a PC and ssh'ed to the mac.

[davidsh]

/usr/local/share/dotnet/shared/Microsoft.NETCore.App/2.0.5

This means that your app is still using .NET Core 2.0 and not .NET Core 2.1. And that means that the CurlHandler HTTP stack is still being used...which is why you continue to see the error.

It looks like you did install .NET Core 2.1-RC1. Your machine now has both .NET Core 2.0.x and .NET Core 2.1-RC1 installed.

So, I think this means that you need to re-target your app by modifying your .CSPROJ file so that it will compile and target .NET Core 2.1.

Can you please share your .CSPROJ file? It will need to change in order to target .NET Core 2.1.

[Legedric]

I resolved the issue on my Mac by installing the latest version of the .Net Core 2.1.0-300-rc1 package.

At first I tried to use the -200 version but that somehow did not let me change the TargetFramework in my .csproj files to netcoreapp2.1 as it always said that 2.1 is not a supported target framework.

Installing the RC of -300 fixed that issue for me and after I changed my csproj file to target 2.1 like this, the handler error got resolved.

<PropertyGroup>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

Do not forget to also change the versions of your package references accordingly like for example:

<ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.All" Version="2.1.0-rc1-final" />
    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="2.1.0-rc1-final" />
  </ItemGroup>

[mbalsam]

For now, we're just doing everything from the cmdline with dotnet.exe on windows 10.

These are our steps:

• Created a new directory
• enabled tracing with set COREHOST_TRACE=1
• Ran dotnet new console --name testfor21
• edited global.json and pointing to "2.1.4"
• edited the csproj to look like this

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp2.1</TargetFramework>
    <TargetFrameworkVersion>2.1.4</TargetFrameworkVersion>
  </PropertyGroup>
</Project>

• We compiled using dotnet run testfor21 > console.log

We see these errors at the end of the process.

C:\Program Files\dotnet\sdk\2.1.4\Sdks\Microsoft.NET.Sdk\build\Microsoft.NET.TargetFrameworkInference.targets(135,5): error : The current .NET SDK does not support targeting .NET Core 2.1.4. Either target .NET Core 2.0 or lower, or use a version of the .NET SDK that supports .NET Core 2.1.4. [c:\dev\do
tnettests\testfor21\testfor21.csproj]

When we do a dotnet --info we get this

c:\dev\dotnettests\testfor21>dotnet --info
.NET Command Line Tools (2.1.4)

Product Information:
Version: 2.1.4
Commit SHA-1 hash: 5e8add2190

Runtime Environment:
OS Name: Windows
OS Version: 10.0.17134
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\2.1.4\

Microsoft .NET Core Shared Framework Host

Version : 2.0.7
Build : 2d61d0b043915bc948ebf98836fefe9ba942be11

I'm attaching the output from the run command. Many thanks for your help!!!!!

output.zip

[karelz]

2.1.4 is version number of SDK/tooling. Framework/runtime version is 2.0.7 or 2.1-rc (or something like that).

[mbalsam]

Ok, I removed TargetFrameworkVersion from the csproj

I run "dotnet run testfor21.csproj"

case 1:
I have no global .json
<TargetFramework>netcoreapp2.0</TargetFramework> It compiles and Path.GetDirectoryName(typeof(object).Assembly.Location)}) prints

(Framework: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.0.7)

case 2:
I have no global .json
<TargetFramework>netcoreapp2.1</TargetFramework>
I get

error : The current .NET SDK does not support targeting .NET Core 2.1. Either target .NET Core 2.0 or lower, or use a version of the .NET SDK that supports .NET Core 2.1. [c:\dev\dotnettests\testfor21\testfor21.csproj]

case 3:
<TargetFramework>netcoreapp2.1</TargetFramework>
Specify global.json = "sdk": { "version": "2.1.4" }

I get this line twice:

error : The current .NET SDK does not support targeting .NET Core 2.1. Either target .NET Core 2.0 or lower, or use a version of the .NET SDK that supports .NET Core 2.1. [c:\dev\dotnettests\testfor21\testfor21.csproj]

@karelz - if you have time, please be specific in your response as to what i should try! :)

[davidsh]

The version of the SDK you have doesn't actually have .NET Core 2.1 in it. That is why you are getting this error message:

The current .NET SDK does not support targeting .NET Core 2.1.4. Either target .NET Core 2.0 or lower, or use a version of the .NET SDK that supports .NET Core 2.1.4.

Unfortunately, this is confusing because the SDK version shows "2.1.x" but it isn't actually .NET Core 2.1. We hope to fix the version naming of the SDK tools relative to the .NET Core runtime versions in a future release of the SDK.

Please install the lastest .NET Core 2.1 which is .NET Core 2.1 RC:
https://www.microsoft.com/net/download/dotnet-core/sdk-2.1.300-rc1

Then when you do "dotnet --info", you should see something like this:

S:\dotnet\reprotest>dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.1.300-rc1-008673
 Commit:    f5e3ddbe73

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17134
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.1.300-rc1-008673\

Host (useful for support):
  Version: 2.1.0-rc1
  Commit:  eb9bc92051

[davidsh]

And further down in the output, it will list all the .NET Core runtimes you have installed, i.e. on my dev machine. You can see down in the list that .NET Core 2.1. RC1 runtime is installed.

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.0-preview2-30431 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.0-rc1-final [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.0-preview2-30431 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.0-rc1-final [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 1.0.0-preview2-002823 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.0-rc2-3002353 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.0-rc2-3002702 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.0-rc3-002823 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.1.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 1.1.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.0-preview3-26404-01 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.0-rc1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

[mbalsam]

David, It worked! Thanks for the help.

Note to others:

I put this in the global.json

 "sdk": {
    "version": "2.1.300-rc1-008673"
  }

and this in the csproj

<TargetFramework>netcoreapp2.1</TargetFramework>

I'm now going to try the same in Visual Studio.

[YARG]

Yep worked for me, I just closed VS2017 on the Mac, downloaded dotnet core 2.1:

https://www.microsoft.com/net/download/thank-you/dotnet-sdk-2.1.302-macos-x64-installer

Opened up VS and the project, repointed to 2.1 (project options -> general) and it worked as expected.

Thanks guys.

[felixfbecker]

I am seeing this error when targeting netstandard2.0. Since there is no netstandard2.1, is there any way to fix this while still being able to run in both .NET Core and .NET Framework?

[stephentoub]

I am seeing this error when targeting netstandard2.0. Since there is no netstandard2.1, is there any way to fix this while still being able to run in both .NET Core and .NET Framework?

It's not about what netstandard version you're using, but what implementation you're actually running on. netstandard is just about the surface area you're targeting. Presumably you're seeing this when running on .NET Core 2.0 on a mac; if you instead run on .NET Core 2.1, it should go away.