-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DotNet HttpClient doesn't give SSL Error While curl and Java fails #55322
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsHello Team, We are using DotNet to connect to one of our APIs which is using Let's Encrypt Certificate. There are some issues in the certificate and it is giving SSL issues when we try to connect using curl or java or wget but it works quite fine with DotNet HttpClient. Isn't this a security issue because it might be trusting a certificate which it should not? Please find the code/command and errors from different tools below: Java-11:
Error Message:
Curl
Error Message:
Wget
Error Message:
DotNet
Output:
Details: Question we have here, is what is Please let us know.
|
To verify the certificate, you need full chain to the trusted root. Server is supposed to send everything - 1. You should see that in ServerHello/Certificate. |
Hello @wfurt, Thanks for your input. So I did some reading and have the understanding that there are 3 layers of certificates:
Ideally a server sends all the certificates barring the CA Root Certificate because that is generally known to everyone. In case the intermediate certificates are not sent the DotNet platform fetches it over the internet from different repositories/proxies and stores locally. The other platforms(java/curl/wget) might not be that smart. So with that understanding I know why the above situation is happening. However, we are facing one more issue. One of our envs this is not working and reason is because we don't have internet in that environment. Since it is a non-prod environment we were okay to turn the SSL verification off, but turned out even after ignoring SSL verification there is need of internet somewhere (like checking revoked certificates). We turned that off too, but still there is some problem while making SSL connection. Below is the code we are using: var httpClientHandler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
CheckCertificateRevocationList = false,
ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) =>
{
return true;
}
};
client = new HttpClient(httpClientHandler);
await client
.SendAsync(request)
.ConfigureAwait(false); It times-out after 30 seconds or so with error Below:
Feels like it still requires internet for some check/reason. Is there a way to turn off SSL verification for a client which has no access to internet? What all settings should be turned off. Thanks for all your help. |
You can try packet capture to se what is happening. The validation code will still try to get the missing parts and there is no good way how to avoid it at the moment. If set of sites you need to access is small, you can put all the missing intermediates on the system. See #55368 for some example. |
Hi @wfurt, Thanks for the help. Ideally I would have liked to turn the whole thing off because these are let's encrypt certificate, and server will be renewing it every few months and we will run into similar problem. We don't have much control on the server. I can think of two more ways if possible it will be super helpful to automate:
Thank you for your help. |
.NET will save certificate cache on exit. So in theory one should be able to copy that to other machine(s). However that feels fragile and I would not recommend it. (it also depends on internal behavior that can possible change) There was some discussion and desire to provide better control over certificate validation but that is not going to happen in 6. (and would not meed bar for servicing anyway) |
I hope this is answered @mddubey. |
Hello Team,
We are using DotNet to connect to one of our APIs which is using Let's Encrypt Certificate. There are some issues in the certificate and it is giving SSL issues when we try to connect using curl or java or wget but it works quite fine with DotNet HttpClient. Isn't this a security issue because it might be trusting a certificate which it should not?
Please find the code/command and errors from different tools below:
Java-11:
Error Message:
Curl
Error Message:
Wget
Error Message:
DotNet
Output:
Details:
OS Docker Image From: mcr.microsoft.com/dotnet/core/sdk:3.1.100
Dotnet version: 3.1.100
Question we have here, is what is
Dotnet
doing special which other platforms are missing and is it a security threat in the my application?Please let us know.
Thank you
The text was updated successfully, but these errors were encountered: