Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding certificate chain to TLS 1.2 connection in .NET core 2.1 #27459

Closed
asjafjell opened this issue Sep 24, 2018 · 4 comments
Closed

Adding certificate chain to TLS 1.2 connection in .NET core 2.1 #27459

asjafjell opened this issue Sep 24, 2018 · 4 comments
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Milestone
3.0

Comments

@asjafjell
Copy link

We are currently porting a library from .NET Framework 4.6.1 to .NET Core 2.1. This is in reference to #24726 , where the issue was Libcurl/LibreSSL and TLS. In 2.1. This was fixed using the new SocketsHttpHandler under the hood. Our next issue is to include the certificate chain in the request.

We are currently creating a handler like this:

HttpClientHandler handler = new HttpClientHandler();
var clientCertificates = new X509Certificate2Collection {ClientConfiguration.Certificate};
handler.ClientCertificates.AddRange(clientCertificates);
handler.ServerCertificateCustomValidationCallback = ValidateServerCertificateThrowIfInvalid;

and using it in a client:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

var client = HttpClientFactory.Create(
    handler,
    ... some handlers excluded ...
);

In .NET Framework this will result in a handshake with the client certificate and the whole chain up to and including the root certificate. This is not the case in .NET Core, where we only get the certificate itself, causing a server side error:

General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Manually diffing a OK request against a failing, quickly reveals that the biggest difference is that .NET Core is not including the certificate chain.

How can we include the chain in the request? All help is appreciated.
@asjafjell asjafjell changed the title Adding certificate chain to TLS 1.2 connection in .NET core Adding certificate chain to TLS 1.2 connection in .NET core 2.1 Sep 24, 2018
@joshfree
Copy link
Member

cc: @bartonjs @davidsh

@bartonjs
Copy link
Member

The chain should be included, if it built successfully (https://github.com/dotnet/corefx/blob/a10890f4ffe0fadf090c922578ba0e606ebdd16c/src/Common/src/System/Net/Http/TlsCertificateExtensions.cs#L76-L96). Presumably macOS was unable to complete the chain locally, probably suggesting that the current user (and/or System.keychain) doesn't trust (or know about) the root.

@asjafjell
Copy link
Author

You are corrcet, @bartonjs! Thank you for the swift reply. For some reason, the certificate was marked as untrusted by macOS. Unsure if it is a result of the Root CA being a certificate to a third party test environment, but a production certificate seems to work perfectly. We will do testing to see if it works with the Root Test CA when flagged as trusted.

@asjafjell
Copy link
Author

The certificate was marked as Never Trust in Keychain Access. Setting it to Use system defaults fixes it. Thanks for now. This can now be closed.

@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
4 participants
@asjafjell @joshfree @msftgits @bartonjs