HttpClient class throws System.Net.InternalException when custom SSL certificate is added to the related HttpMessageHandler

[krishnakanumuri]

.NET Core app throws below exception when tired to use a manual SSL certificate option. The same code works works in .NET Framework. Also the same code works with .NET Core runtime on windows server 2016 version. Not sure what's going on.

.NET Core Runtime: 2.1.5
OS Version: Windows 10 1803 (build 17134.523)

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner xception. ---> System.Net.InternalException: Exception of type 'System.Net.InternalException' was thrown.
at System.Net.SecurityStatusAdapterPal.GetSecurityStatusPalFromInterop(SECURITY_STATUS win32SecurityStatus, Boolean attachException)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Security.SslState.ThrowIfExceptional()
at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
at System.Net.Security.SslStream.<>c.b__47_1(IAsyncResult iar)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
at System.Threading.Tasks.ValueTask1.get_Result() at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Threading.Tasks.ValueTask1.get_Result()
at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask) at System.Threading.Tasks.ValueTask1.get_Result()
at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
at HTTPClientCore.Program.Main(String[] args) in C:\Krishna\WS\HTTPClientCore\Program.cs:line 33

Here is the code of my app

ServicePointManager.Expect100Continue = true;          
HttpClientHandler h = new HttpClientHandler();
h.ClientCertificateOptions = ClientCertificateOption.Manual;
Console.WriteLine("Enter Certificate Path:");
string file = Console.ReadLine();
int res = h.ClientCertificates.Add(new X509Certificate2(file, "fred"));                
h.ServerCertificateCustomValidationCallback = (a,b,c,d)=> { return true; };
HttpClient client = new HttpClient(h);               
Console.WriteLine("Enter request path:");
string request = Console.ReadLine();
StringContent body = new StringContent(File.ReadAllText(request));
body.Headers.ContentType = new MediaTypeHeaderValue("text/xml");
body.Headers.Add("SOAPAction", "getPoleObjects");
var responseMessage = await client.PostAsync("https://xx.xx.xx.xxx/servicename", body);
string result = await responseMessage.Content.ReadAsStringAsync();
Console.WriteLine(result);

[davidsh]

.NET Core app throws below exception when tired to use a manual SSL certificate option. The same code works works in .NET Framework. Also the same code works with .NET Core runtime on windows server 2016 version. Not sure what's going on.

Since you are creating a client certificate manually using code:

int res = h.ClientCertificates.Add(new X509Certificate2(file, "fred"));

that raises the question of how/if the private key is encoded in that? And what permissions are being given to the private key? Most times, errors like this using client TLS certificates are due to problems accessing the private key of the X509Certificate2 object.

Some experiments you can try include importing the X509Certificate2 object into the per-user Personal certificate store. That would help make sure that your process has access to the private key.

And, unrelated, this line of code does nothing on .NET Core:

ServicePointManager.Expect100Continue = true;

@bartonjs

[krishnakanumuri]

Thanks @davidsh that did the trick. Importing the certificate into the personal store has fixed the issue and it is working now 👍. So even when we use the manual certificates it is required to install them to the account personal store? And why this security model/validation is different from .NET Framework model?

[wfurt]

cc @bartonjs for remaining question about stores.

[bartonjs]

There shouldn't be any requirement for things to be in an X509Store. If the certificate was added to the store programmatically I can't think of anything different that might have happened. If it was added via MMC then perhaps there were intermediates also in the PFX that got also imported; but that would only affect selection (as far as I know) if you had more than one certificate in the ClientCertificates collection (because then a "which one should I use" algorithm kicks in).

As for permissions to the private key... if you've just opened the PFX you have permission to the key (or the import would have failed) -- unless there's an Impersonation boundary between where you loaded it and where you tried to use it, of course.

[krishnakanumuri]

Thanks @bartonjs. I can confirm that there is only one certificate and there are no intermediate certificates are given separately or installed separately. as this is in a developement environment i have handled the validation failure and forced to use the certificate by adding them to the associated HTTPClientHandler.

regarding the certificate permissions, not sure if i understand completely, but just to clarify the certificate i am using is located on the same computer that program is running and my account have full access to the folder location and program is running from my login sessions only so i would assume it is running under my identity so the program should've complete access to the pfx file.

[davidsh]

@code2mars

There have been several fixes/optimizations made to HttpClient, SslStream and related classes in .NET Core 3.0. Can you try out the latest preview release of .NET Core 3.0? If this problem is still occurring, please let us know and we can re-activate this issue. Thanks.

https://devblogs.microsoft.com/dotnet/announcing-net-core-3-preview-4/