-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASP.NET 5 docker image fails to communicate with TLS1.2 server #48337
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsDescriptionWe have a ASP.NET Core app inside The SSL labs report can be seen here https://www.ssllabs.com/ssltest/analyze.html?d=stdapi.webflotta.hu I found this document about changes in Linux and .NET 5 and changed the container's ciphers to match the minimal conf file at the bottom of this document and it started working https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux Should the MS Docker images have the SSL conf match what is in that document?
|
Well, the This isn't exactly a cipher suite issue. Using the stock Debian container, I can see that the client and server agree on
By changing the SECLEVEL, you're permitting SHA1 signatures. Interestingly, if you disable SNI, it works:
This leads me to believe that the server is using a buggy version of OpenSSL, where signature algorithms were offered incorrectly when using SNI, and is fixed here openssl/openssl#4554. Any chance you know how the server at |
I have no knowledge or control over the server
…On Tue, 16 Feb 2021 at 16:51, Kevin Jones ***@***.***> wrote:
Well, the curl issue reproduces in the original debian:buster docker
image, and likely in Debian as well.
This isn't exactly a cipher suite issue. Using the stock Debian container,
I can see that the client and server agree on ECDHE-RSA-AES256-GCM-SHA384,
but fail because the SigAlg being used is SHA1:
openssl s_client -connect stdapi.webflotta.hu:443 -security_debug_verbose
Security callback: Check Signature Algorithm scheme=rsa_pkcs1_sha1,
security bits=80: no
140237302592640:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong
signature type:../ssl/t1_lib.c:1111
By changing the SECLEVEL, you're permitting SHA1 signatures.
*Interestingly*, if you disable SNI, it works:
openssl s_client -connect stdapi.webflotta.hu:443 -security_debug_verbose -noservername
This leads me to believe that the server is using a buggy version of
OpenSSL, where signature algorithms were offered incorrectly when using
SNI, and is fixed here openssl/openssl#4554
<openssl/openssl#4554>.
Any chance you know how the server at stdapi.webflotta.hu is configured?
It looks like it's using nginx, possibly with a version of OpenSSL that has
the issue you are working around.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#48337 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAZVJSSOYMULXNHA7M46ODS7KPCFANCNFSM4XWSWCXA>
.
|
Triage: this might not be an issue with .NET 5.0 but a server problem. |
What exact distro would you want it tested on?
…On Thu, 18 Feb 2021 at 17:19, Marie Píchová ***@***.***> wrote:
Triage: this might not be an issue with .NET 5.0 but a server problem.
@jchannon <https://github.com/jchannon> does the issue happen outside of
docker as well?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#48337 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAZVJXN5XOAVYQLXDAPIXLS7VD3VANCNFSM4XWSWCXA>
.
|
I can reproduce it with
Debian buster takes a fairly aggressive stance on disabling old algorithms by default, in this case SHA1 signature algorithms. The site is using a configuration that uses SHA1 signature algorithms. My suspicion is that the site uses a buggy version of OpenSSL, indicated by the varying behavior of SNI. |
Purpose of the change was to have secure defaults @jchannon so I think the answer is no. I also feel that is ok if different bistro vends have their unique setting to reflect their preferences. I try same command @vcsjones on Ubuntu 20 and it seems to work. Could you try 5.0-focal @jchannon to see if that works for you? |
@wfurt this actually fails for me in Ubuntu focal as well. When you tested did you get an exit code of 0 or 1? |
yeah. I spoke too soon. 20.04 fails. Ubuntu 18.04 works with & without SNI
That suggest there should be some solution for this particular server. |
This issue has been automatically marked Please refer to our contribution guidelines for tips on what information might be required. |
Same problem, .net 5 images cant connect to SQL server (debian 11) Ubuntu 18.04 working |
This issue has been automatically marked |
I look at this again and I think @vcsjones is right. The site sometimes chooses It does not matter If this is because of the linked bug or something I noticed in #78957 where the site seems to be front-loaded by Changing the
There is openssl/openssl#17662 discussing this but I don't know if anything is directly relevant to .NET APIs and functions. It would just provide more granular choices to the user. cc: @bartonjs for any more thoughts. I don't know if this is same issue as the SQL @cetindogu. Feel free to post more info and possibly simple repro for investigation. |
Description
We have a ASP.NET Core app inside
![curl](https://user-images.githubusercontent.com/105126/108078568-bffd7a00-7065-11eb-9833-24f97b6228b6.png)
mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim
that talks to a server via https (via HttpClient) that seems to report it has TLS1.2 support and ciphers that the image should support. It fails to connect via HttpClient with an SSL exception and also can be seen in curlThe SSL labs report can be seen here https://www.ssllabs.com/ssltest/analyze.html?d=stdapi.webflotta.hu
I found this document about changes in Linux and .NET 5 and changed the container's ciphers to match the minimal conf file at the bottom of this document and it started working https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux
Should the MS Docker images have the SSL conf match what is in that document?
@bartonjs
The text was updated successfully, but these errors were encountered: