Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reopen #44191: SSL/TLS handshake fails in Ubuntu 20.04 and Net 5.0.1 #46271

Closed
ClimberBear opened this issue Dec 20, 2020 · 12 comments
Closed

Reopen #44191: SSL/TLS handshake fails in Ubuntu 20.04 and Net 5.0.1 #46271

ClimberBear opened this issue Dec 20, 2020 · 12 comments
Labels
area-System.Net.Security
Milestone
6.0.0

Comments

@ClimberBear
Copy link

ClimberBear commented Dec 20, 2020
edited
Loading

A client connection created with HttpWebRequest or HttpClient fails with SSL handshake error.

With default openssl.cnf file, we are able to connect a site with curl or openssl s_client, but a sample console program fails.

Sample program: Works fine in Mac and in a container docker, but fails in Ubuntu 20.04

using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Http;
using System.Net.Security;
using System.Threading.Tasks;

namespace BugSSL
{
    class Program
    {
        static void Main(string[] args)
        {
            Curl("https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216");
        }

        static void Curl(string url)
        {
            HttpWebRequest request;
            HttpWebResponse response;

            ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault;

            try
            {
                Console.WriteLine("START-------------------------------------------------");
                Console.WriteLine($"Getting URL ${url}");
                request = WebRequest.CreateHttp(url);
                request.Method = "GET";
                
                request.AllowAutoRedirect = true;
                request.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip;
                request.Headers.Add(HttpRequestHeader.UserAgent, "SSLBugTest/0.0.0");
                using (response = (HttpWebResponse)request.GetResponse())
                {
                    Console.WriteLine($"Response status: {response.StatusCode} {response.StatusDescription}");
                    Console.WriteLine("Response headers");
                    foreach(string header in response.Headers)
                    {
                        Console.WriteLine($"    {header}: {response.GetResponseHeader(header)}");
                    }
                    Console.WriteLine($"Content-Type: {response.ContentType}");
                    Console.WriteLine($"Content-Length: {response.ContentLength}");
                }

                Console.WriteLine("END---------------------------------------------------");

            }
            catch (Exception e)
            {
                TextWriter stderr = Console.Error;
                stderr.WriteLine($"Error processing {url}. Error: {e.Message}");
                stderr.WriteLine(e.StackTrace);
                while(e.InnerException!=null)
                {
                    e = e.InnerException;
                    Console.WriteLine($"Inner exception: {e.Message}");
                    stderr.WriteLine(e.StackTrace);
                }
            }
        }
    }
}

Expected output:


Getting URL $https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216
Response status: OK OK
Response headers
    Date: Sun, 20 Dec 2020 18:19:19 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    X-Robots-Tag: noindex
    Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
    X-Varnish: 466367739
    Age: 0
    Via: 1.1 varnish-v4
    Transfer-Encoding: chunked
    Accept-Ranges: bytes
    Content-Type: application/xml; charset=utf-8
Content-Type: application/xml; charset=utf-8
Content-Length: -1
END---------------------------------------------------

Current output (exception)

START-------------------------------------------------
Using HttpClient and custom socket (custom SslOptions)
Error processing https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216. Error: The SSL connection could not be established, see inner exception.
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at BugSSL.Program.Curl2(String url) in /Users/jmalbarran/Projects/BTH/BTH/NC5/BugSSL/BugSSL/Program.cs:line 94
Inner exception: Authentication failed, see inner exception.
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
Inner exception: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
Inner exception: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

END---------------------------------------------------

Configuration

$ dotnet --list-sdks
5.0.101 [/usr/share/dotnet/sdk]
$ dotnet --list-runtimes
Microsoft.AspNetCore.App 5.0.1 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 5.0.1 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
$ openssl version
OpenSSL 1.1.1f  31 Mar 2020
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Regression?

Yes, this is a regression. This work fine with Net Core 3.1

Other information

OPENSSL test

$ openssl s_client -connect www.boe.es:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
verify return:1
---
Certificate chain
 0 s:C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
   i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
 1 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
 2 s:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIQNhIcMhHtjhL6mLEDddGy0TANBgkqhkiG9w0BAQwFADBE
MQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEaMBgGA1UE
AxMRR0VBTlQgT1YgUlNBIENBIDQwHhcNMjAwNzEwMDAwMDAwWhcNMjEwNzEwMjM1
OTU5WjCBljELMAkGA1UEBhMCRVMxDjAMBgNVBBETBTI4MDUwMQ8wDQYDVQQIEwZN
YWRyaWQxDzANBgNVBAcTBk1hZHJpZDEaMBgGA1UECRMRQXZkYSBNYW5vdGVyYXMg
NTQxJDAiBgNVBAoMG0JvbGV0w61uIE9maWNpYWwgZGVsIEVzdGFkbzETMBEGA1UE
AxMKd3d3LmJvZS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJx5
XC3jV6x2EXpamd2DT0Ve2hgpIFY9EICg0bprRkKaQlY/wOcnDodhxtu9G1qpF92n
++oaA1CdHj0rwD1wvfo5YHbioqYzU+Xli47nR7MuMCboS1oyw4DkRJu41kF5hNjS
S3dtwFIJxM4M5rh23jPovSoluOMPPMdRDT/PfKwF3++zRey6bnwXspW1k1cwZFDi
hp/baQ2g4l9Bb0n9wvsJmoFWmGcXfeOhiRBApPVWc1a4sY4iBkxQwtkVygfR9Byv
0cJ38/oiwKPZfnwSaQ6m8TlIyeTFLpbukwzawK+/dEY0KI/KdhFOywiXkWWbGpFD
VPusHsbxLIeNcP4tOD8CAwEAAaOCAqwwggKoMB8GA1UdIwQYMBaAFG8dNUkQbDL6
WaCevIroH5W+cXoMMB0GA1UdDgQWBBR/V48Za8M3y9Eh0QkviktFAlKwjzAOBgNV
HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTzAlMCMGCCsGAQUFBwIB
FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgIwPwYDVR0fBDgwNjA0
oDKgMIYuaHR0cDovL0dFQU5ULmNybC5zZWN0aWdvLmNvbS9HRUFOVE9WUlNBQ0E0
LmNybDB1BggrBgEFBQcBAQRpMGcwOgYIKwYBBQUHMAKGLmh0dHA6Ly9HRUFOVC5j
cnQuc2VjdGlnby5jb20vR0VBTlRPVlJTQUNBNC5jcnQwKQYIKwYBBQUHMAGGHWh0
dHA6Ly9HRUFOVC5vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSCCnd3dy5ib2Uu
ZXOCBmJvZS5lczCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AH0+8viP/4hVaCTC
wMqeUol5K8UOeAl/LmqXaJl+IvDXAAABczeWPS4AAAQDAEgwRgIhAOPLG6mMqqB3
LEqjJC33bh5BLXrNaQbweMitOTxhZzICAiEAtEyM6zAoKwgWJsLSq8t5jv0SYE2m
f8yYnAi3SMZ4b2EAdgCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAA
AXM3lj1VAAAEAwBHMEUCIQDoEAt3ru76NoBbpc9J/yRQe63iY2rdZsRTch73Jcsa
GgIgZEAF27vDw7UPmadph+udUgUtDOY4iYATqkzp/tLU1UcwDQYJKoZIhvcNAQEM
BQADggIBABl2lz2mzji5QghUIG09sI6Oku6pa8mtJmRnXrKbhD9Bf+TdLqJGRPC/
O/dTi0HEdOC4r/CrNBe1NDMcj2WdYl6faSdIticioboiFGoaCM3Hvbd6jUeDnN85
KsSRYJU/urumJd04Jc93+SD8+1dCWrVkz3XSa/vAUTzMfpbq9Y0Rba/Ge+jsPmFL
QtYxTp0kWFOlamTjX2aa9XYbgw0RvQhx8KadS5CxGCfEwot+rd78i1JGXBGq5vAG
xJg2dMkiyLeOaM+62sK2hN+HE8VnuxlxjhKSQS+hHFJ/ydda21Th2U2UzkoUE26H
lEGEe9IUYwgh1qZYiLOF2cemHeGD7Lwwx79kei0BHNHV9NgCpOGpvqOvDY/3vyyv
A7Lly3ePxKMM7F2PE1gL52X7eOcdjrgkubGzMTkELip5LbBZD0RFTyDI86W6CJOw
o0mDFGqg3GIHi5/yaP5ic00FmaSBjV0umFaz9Gp+rfuuU5bm6AZamYfa+eFb0XfL
OUezttzdDMC6yECjRtD9hHKKG8qXULjPRdcgLqs+DiV+YkHNQfVqhY1MRFrl7N9x
t5Spw5RKDwdvEQ3LhHJ8hlu5e3l996qVUodJBRZAzOpcXgxP09XQW4uGdmpaDdqz
OAF/4/pvULXbxgE2CzFAuc6/R7wfStmPkyoloP0XYMYcGVRouz2h
-----END CERTIFICATE-----
subject=C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es

issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4

---
No client certificate CA names sent
---
SSL handshake has read 5335 bytes and written 630 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: B729F1FA713758E64413FE182AAE1AA30F3455D7DD479984B48AD2F4142186B3
    Session-ID-ctx: 
    Master-Key: 1EF606A1967F2932844FE6CE4BC6DE49F639D4ED1D4F4E9AB48300187B2AEEEEF7362F93219258D151F1B9B0E8A9D557
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f 9d 6c a3 2f 9d 5d 72-33 39 35 99 08 4d 4e 35   ..l./.]r395..MN5
    0010 - b2 fc 45 94 84 4c 9c 07-ca 9b 2c 33 39 7a 82 f9   ..E..L....,39z..
    0020 - 85 14 a7 9c c0 49 1a 63-c9 06 52 65 b0 41 10 33   .....I.c..Re.A.3
    0030 - e8 b7 6a 31 d0 c8 81 f9-7c 37 53 0c 5f 0a 71 d0   ..j1....|7S._.q.
    0040 - de a6 9a ec c1 50 f3 69-ea df a4 f0 c0 ab e6 fb   .....P.i........
    0050 - cc ba 27 e2 ad 75 c3 a3-9c a2 19 05 6d db 9e dd   ..'..u......m...
    0060 - ea 9c af 6a 77 f5 7e d8-e0 de 4a 1c a6 28 17 00   ...jw.~...J..(..
    0070 - 43 b8 14 f4 c4 65 c2 03-8c 25 2e bc cc 3d be c2   C....e...%...=..
    0080 - 0c d5 97 78 d3 0b 94 50-54 37 e3 12 0d 90 7a 6b   ...x...PT7....zk
    0090 - b9 2c de 02 e1 80 9b b0-c3 c2 ec 2e 9c 29 15 aa   .,...........)..
    00a0 - 3a d5 c5 3a 9a 41 55 54-25 9c c6 6b ee 71 21 e0   :..:.AUT%..k.q!.

    Start Time: 1608488720
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

CURL output

curl -vvv https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216|more
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 81.89.32.200:443...
* TCP_NODELAY set
* Connected to www.boe.es (81.89.32.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5013 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=ES; postalCode=28050; ST=Madrid; L=Madrid; street=Avda Manoteras 54; O=Bolet?n Oficial del Estado; CN=www.boe.es
*  start date: Jul 10 00:00:00 2020 GMT
*  expire date: Jul 10 23:59:59 2021 GMT
*  subjectAltName: host "www.boe.es" matched cert's "www.boe.es"
*  issuer: C=NL; O=GEANT Vereniging; CN=GEANT OV RSA CA 4
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET /diario_boe/xml.php?id=BOE-S-20201216 HTTP/1.1
> Host: www.boe.es
> User-Agent: curl/7.68.0
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 20 Dec 2020 18:26:39 GMT
< Server: Apache
< x-frame-options: SAMEORIGIN
< X-Robots-Tag: noindex
< Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
< Content-Type: application/xml; charset=utf-8
< X-Varnish: 479596994
< Age: 0
< Via: 1.1 varnish-v4
< Transfer-Encoding: chunked
< Accept-Ranges: bytes
< 
{ [13884 bytes data]

Here is my code for testing with ALL cipherstrings implemented in Net5 (without using openssl.cnf)


        static async Task Curl2(string url)
        {
            List<TlsCipherSuite> cipherSuites;
            SslClientAuthenticationOptions sslOptions;
            SocketsHttpHandler socketHttpHandler;
            HttpResponseMessage response;

            Console.WriteLine("START-------------------------------------------------");
            Console.WriteLine("Using HttpClient and custom socket (custom SslOptions)");

            cipherSuites = new List<TlsCipherSuite>();
            foreach (TlsCipherSuite cipherSuite in (TlsCipherSuite[]) Enum.GetValues(typeof(TlsCipherSuite)))
            {
                cipherSuites.Add(cipherSuite);
            }

            sslOptions = new SslClientAuthenticationOptions();
            //sslOptions = new SslClientAuthenticationOptions
            //{
            //    CipherSuitesPolicy = new CipherSuitesPolicy(cipherSuites)
            //};
            try
            {
                sslOptions = new SslClientAuthenticationOptions();
                socketHttpHandler = new SocketsHttpHandler
                {
                    SslOptions = sslOptions
                };
                var httpClient = new HttpClient(socketHttpHandler, true);
                using (response = await httpClient.GetAsync(url))
                {
                    Console.WriteLine($"Response status: {response.StatusCode}");
                    Console.WriteLine("Response headers");
                    foreach (KeyValuePair<string, IEnumerable<string>> header in response.Headers)
                    {
                        Console.Write($"    {header.Key}: ");
                        foreach (string value in header.Value)
                        {
                            Console.Write($"{value} ");
                        }
                        Console.WriteLine("");
                    }
                }
            }
            catch (Exception e)
            {
                TextWriter stderr = Console.Error;
                stderr.WriteLine($"Error processing {url}. Error: {e.Message}");
                stderr.WriteLine(e.StackTrace);
                while (e.InnerException != null)
                {
                    e = e.InnerException;
                    Console.WriteLine($"Inner exception: {e.Message}");
                    stderr.WriteLine(e.StackTrace);
                }
            }

            Console.WriteLine("END---------------------------------------------------");


        }
@Dotnet-GitSync-Bot Dotnet-GitSync-Bot added the untriaged New issue has not been triaged by the area owner label Dec 20, 2020
@Dotnet-GitSync-Bot
Copy link
Collaborator

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@ClimberBear
Copy link
Author

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

I don't know how to set the area label, but, obviously, this is a job for @dotnet/ncl

@vcsjones
Copy link
Member

An observation, openssl in Ubuntu 20.04 is compiled with -DOPENSSL_TLS_SECURITY_LEVEL=2. Changing the security level back to 1 gets things working again:

Adding this to the top of /etc/ssl/openssl.cnf:

openssl_conf = default_conf

and this to the bottom of it:

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

I suspect this is related to the site not supported any forward secrecy cipher suites. I'm not recommending this change one way or another, but it appears to play a part of the issue at hand.

@ClimberBear
Copy link
Author

ClimberBear commented Dec 21, 2020
edited
Loading

An observation, openssl in Ubuntu 20.04 is compiled with -DOPENSSL_TLS_SECURITY_LEVEL=2. Changing the security level back to 1 gets things working again:

Adding this to the top of /etc/ssl/openssl.cnf:

openssl_conf = default_conf

and this to the bottom of it:

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1

I suspect this is related to the site not supported any forward secrecy cipher suites. I'm not recommending this change one way or another, but it appears to play a part of the issue at hand.

I already had tried this, with no change.
And this is not coherent with the fact that curl and openssl s_client work both fine with the same configuration.
I have updated the initial report adding a test with ALL possible cipher strings.
Other important consideration. If you miss the correct cipherstring or even force TLSv1, you get a different error (something like not compatible protocol or no common strings, I don't remember now).

@ClimberBear ClimberBear mentioned this issue Dec 21, 2020
Closed
@ghost
Copy link

ghost commented Dec 21, 2020

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

A client connection created with HttpWebRequest or HttpClient fails with SSL handshake error.

With default openssl.cnf file, we are able to connect a site with curl or openssl s_client, but a sample console program fails.

Sample program: Works fine in Mac and in a container docker, but fails in Ubuntu 20.04

using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Net.Http;
using System.Net.Security;
using System.Threading.Tasks;

namespace BugSSL
{
    class Program
    {
        static void Main(string[] args)
        {
            Curl("https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216");
        }

        static void Curl(string url)
        {
            HttpWebRequest request;
            HttpWebResponse response;

            ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault;

            try
            {
                Console.WriteLine("START-------------------------------------------------");
                Console.WriteLine($"Getting URL ${url}");
                request = WebRequest.CreateHttp(url);
                request.Method = "GET";
                
                request.AllowAutoRedirect = true;
                request.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip;
                request.Headers.Add(HttpRequestHeader.UserAgent, "SSLBugTest/0.0.0");
                using (response = (HttpWebResponse)request.GetResponse())
                {
                    Console.WriteLine($"Response status: {response.StatusCode} {response.StatusDescription}");
                    Console.WriteLine("Response headers");
                    foreach(string header in response.Headers)
                    {
                        Console.WriteLine($"    {header}: {response.GetResponseHeader(header)}");
                    }
                    Console.WriteLine($"Content-Type: {response.ContentType}");
                    Console.WriteLine($"Content-Length: {response.ContentLength}");
                }

                Console.WriteLine("END---------------------------------------------------");

            }
            catch (Exception e)
            {
                TextWriter stderr = Console.Error;
                stderr.WriteLine($"Error processing {url}. Error: {e.Message}");
                stderr.WriteLine(e.StackTrace);
                while(e.InnerException!=null)
                {
                    e = e.InnerException;
                    Console.WriteLine($"Inner exception: {e.Message}");
                    stderr.WriteLine(e.StackTrace);
                }
            }
        }
    }
}

Expected output:


Getting URL $https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216
Response status: OK OK
Response headers
    Date: Sun, 20 Dec 2020 18:19:19 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    X-Robots-Tag: noindex
    Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
    X-Varnish: 466367739
    Age: 0
    Via: 1.1 varnish-v4
    Transfer-Encoding: chunked
    Accept-Ranges: bytes
    Content-Type: application/xml; charset=utf-8
Content-Type: application/xml; charset=utf-8
Content-Length: -1
END---------------------------------------------------

Current output (exception)

START-------------------------------------------------
Using HttpClient and custom socket (custom SslOptions)
Error processing https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216. Error: The SSL connection could not be established, see inner exception.
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.SendAsyncCore(HttpRequestMessage request, HttpCompletionOption completionOption, Boolean async, Boolean emitTelemetryStartStop, CancellationToken cancellationToken)
   at BugSSL.Program.Curl2(String url) in /Users/jmalbarran/Projects/BTH/BTH/NC5/BugSSL/BugSSL/Program.cs:line 94
Inner exception: Authentication failed, see inner exception.
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Boolean async, Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
Inner exception: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
Inner exception: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

END---------------------------------------------------

Configuration

$ dotnet --list-sdks
5.0.101 [/usr/share/dotnet/sdk]
$ dotnet --list-runtimes
Microsoft.AspNetCore.App 5.0.1 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 5.0.1 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
$ openssl version
OpenSSL 1.1.1f  31 Mar 2020
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Regression?

Yes, this is a regression. This work fine with Net Core 3.1

Other information

OPENSSL test

$ openssl s_client -connect www.boe.es:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
verify return:1
---
Certificate chain
 0 s:C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
   i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
 1 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
 2 s:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIQNhIcMhHtjhL6mLEDddGy0TANBgkqhkiG9w0BAQwFADBE
MQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEaMBgGA1UE
AxMRR0VBTlQgT1YgUlNBIENBIDQwHhcNMjAwNzEwMDAwMDAwWhcNMjEwNzEwMjM1
OTU5WjCBljELMAkGA1UEBhMCRVMxDjAMBgNVBBETBTI4MDUwMQ8wDQYDVQQIEwZN
YWRyaWQxDzANBgNVBAcTBk1hZHJpZDEaMBgGA1UECRMRQXZkYSBNYW5vdGVyYXMg
NTQxJDAiBgNVBAoMG0JvbGV0w61uIE9maWNpYWwgZGVsIEVzdGFkbzETMBEGA1UE
AxMKd3d3LmJvZS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJx5
XC3jV6x2EXpamd2DT0Ve2hgpIFY9EICg0bprRkKaQlY/wOcnDodhxtu9G1qpF92n
++oaA1CdHj0rwD1wvfo5YHbioqYzU+Xli47nR7MuMCboS1oyw4DkRJu41kF5hNjS
S3dtwFIJxM4M5rh23jPovSoluOMPPMdRDT/PfKwF3++zRey6bnwXspW1k1cwZFDi
hp/baQ2g4l9Bb0n9wvsJmoFWmGcXfeOhiRBApPVWc1a4sY4iBkxQwtkVygfR9Byv
0cJ38/oiwKPZfnwSaQ6m8TlIyeTFLpbukwzawK+/dEY0KI/KdhFOywiXkWWbGpFD
VPusHsbxLIeNcP4tOD8CAwEAAaOCAqwwggKoMB8GA1UdIwQYMBaAFG8dNUkQbDL6
WaCevIroH5W+cXoMMB0GA1UdDgQWBBR/V48Za8M3y9Eh0QkviktFAlKwjzAOBgNV
HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTzAlMCMGCCsGAQUFBwIB
FhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgIwPwYDVR0fBDgwNjA0
oDKgMIYuaHR0cDovL0dFQU5ULmNybC5zZWN0aWdvLmNvbS9HRUFOVE9WUlNBQ0E0
LmNybDB1BggrBgEFBQcBAQRpMGcwOgYIKwYBBQUHMAKGLmh0dHA6Ly9HRUFOVC5j
cnQuc2VjdGlnby5jb20vR0VBTlRPVlJTQUNBNC5jcnQwKQYIKwYBBQUHMAGGHWh0
dHA6Ly9HRUFOVC5vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSCCnd3dy5ib2Uu
ZXOCBmJvZS5lczCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AH0+8viP/4hVaCTC
wMqeUol5K8UOeAl/LmqXaJl+IvDXAAABczeWPS4AAAQDAEgwRgIhAOPLG6mMqqB3
LEqjJC33bh5BLXrNaQbweMitOTxhZzICAiEAtEyM6zAoKwgWJsLSq8t5jv0SYE2m
f8yYnAi3SMZ4b2EAdgCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAA
AXM3lj1VAAAEAwBHMEUCIQDoEAt3ru76NoBbpc9J/yRQe63iY2rdZsRTch73Jcsa
GgIgZEAF27vDw7UPmadph+udUgUtDOY4iYATqkzp/tLU1UcwDQYJKoZIhvcNAQEM
BQADggIBABl2lz2mzji5QghUIG09sI6Oku6pa8mtJmRnXrKbhD9Bf+TdLqJGRPC/
O/dTi0HEdOC4r/CrNBe1NDMcj2WdYl6faSdIticioboiFGoaCM3Hvbd6jUeDnN85
KsSRYJU/urumJd04Jc93+SD8+1dCWrVkz3XSa/vAUTzMfpbq9Y0Rba/Ge+jsPmFL
QtYxTp0kWFOlamTjX2aa9XYbgw0RvQhx8KadS5CxGCfEwot+rd78i1JGXBGq5vAG
xJg2dMkiyLeOaM+62sK2hN+HE8VnuxlxjhKSQS+hHFJ/ydda21Th2U2UzkoUE26H
lEGEe9IUYwgh1qZYiLOF2cemHeGD7Lwwx79kei0BHNHV9NgCpOGpvqOvDY/3vyyv
A7Lly3ePxKMM7F2PE1gL52X7eOcdjrgkubGzMTkELip5LbBZD0RFTyDI86W6CJOw
o0mDFGqg3GIHi5/yaP5ic00FmaSBjV0umFaz9Gp+rfuuU5bm6AZamYfa+eFb0XfL
OUezttzdDMC6yECjRtD9hHKKG8qXULjPRdcgLqs+DiV+YkHNQfVqhY1MRFrl7N9x
t5Spw5RKDwdvEQ3LhHJ8hlu5e3l996qVUodJBRZAzOpcXgxP09XQW4uGdmpaDdqz
OAF/4/pvULXbxgE2CzFAuc6/R7wfStmPkyoloP0XYMYcGVRouz2h
-----END CERTIFICATE-----
subject=C = ES, postalCode = 28050, ST = Madrid, L = Madrid, street = Avda Manoteras 54, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es

issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4

---
No client certificate CA names sent
---
SSL handshake has read 5335 bytes and written 630 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: B729F1FA713758E64413FE182AAE1AA30F3455D7DD479984B48AD2F4142186B3
    Session-ID-ctx: 
    Master-Key: 1EF606A1967F2932844FE6CE4BC6DE49F639D4ED1D4F4E9AB48300187B2AEEEEF7362F93219258D151F1B9B0E8A9D557
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7f 9d 6c a3 2f 9d 5d 72-33 39 35 99 08 4d 4e 35   ..l./.]r395..MN5
    0010 - b2 fc 45 94 84 4c 9c 07-ca 9b 2c 33 39 7a 82 f9   ..E..L....,39z..
    0020 - 85 14 a7 9c c0 49 1a 63-c9 06 52 65 b0 41 10 33   .....I.c..Re.A.3
    0030 - e8 b7 6a 31 d0 c8 81 f9-7c 37 53 0c 5f 0a 71 d0   ..j1....|7S._.q.
    0040 - de a6 9a ec c1 50 f3 69-ea df a4 f0 c0 ab e6 fb   .....P.i........
    0050 - cc ba 27 e2 ad 75 c3 a3-9c a2 19 05 6d db 9e dd   ..'..u......m...
    0060 - ea 9c af 6a 77 f5 7e d8-e0 de 4a 1c a6 28 17 00   ...jw.~...J..(..
    0070 - 43 b8 14 f4 c4 65 c2 03-8c 25 2e bc cc 3d be c2   C....e...%...=..
    0080 - 0c d5 97 78 d3 0b 94 50-54 37 e3 12 0d 90 7a 6b   ...x...PT7....zk
    0090 - b9 2c de 02 e1 80 9b b0-c3 c2 ec 2e 9c 29 15 aa   .,...........)..
    00a0 - 3a d5 c5 3a 9a 41 55 54-25 9c c6 6b ee 71 21 e0   :..:.AUT%..k.q!.

    Start Time: 1608488720
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

CURL output

curl -vvv https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216|more
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 81.89.32.200:443...
* TCP_NODELAY set
* Connected to www.boe.es (81.89.32.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [89 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5013 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=ES; postalCode=28050; ST=Madrid; L=Madrid; street=Avda Manoteras 54; O=Bolet?n Oficial del Estado; CN=www.boe.es
*  start date: Jul 10 00:00:00 2020 GMT
*  expire date: Jul 10 23:59:59 2021 GMT
*  subjectAltName: host "www.boe.es" matched cert's "www.boe.es"
*  issuer: C=NL; O=GEANT Vereniging; CN=GEANT OV RSA CA 4
*  SSL certificate verify ok.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
> GET /diario_boe/xml.php?id=BOE-S-20201216 HTTP/1.1
> Host: www.boe.es
> User-Agent: curl/7.68.0
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 20 Dec 2020 18:26:39 GMT
< Server: Apache
< x-frame-options: SAMEORIGIN
< X-Robots-Tag: noindex
< Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
< Content-Type: application/xml; charset=utf-8
< X-Varnish: 479596994
< Age: 0
< Via: 1.1 varnish-v4
< Transfer-Encoding: chunked
< Accept-Ranges: bytes
< 
{ [13884 bytes data]
Author: ClimberBear
Assignees: -
Labels:

area-System.Net.Security, untriaged
Milestone: -

@ChrisIsidora
Copy link

I have had this issue and commented back then on #44191. But still not resolution, we had to revert back to .NET Core 3.1, we tried everything but with no luck.

@ClimberBear
Copy link
Author

I have had this issue and commented back then on #44191. But still not resolution, we had to revert back to .NET Core 3.1, we tried everything but with no luck.

Yes. I have updated the issue report, with more information about the tests I have already done. Please, could you add yours too?

@wfurt
Copy link
Member

wfurt commented Dec 23, 2020

I did what @vcjones suggested on fresh Ubuntu20.04 installation and it works as expected (failing with defaults):

furt@ubu20:~/repro/ssl$ dotnet run
START-------------------------------------------------
Getting URL $https://www.boe.es/diario_boe/xml.php?id=BOE-S-20201216
Response status: OK OK
Response headers
    Date: Wed, 23 Dec 2020 18:30:02 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    X-Robots-Tag: noindex
    Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
    X-Varnish: 8167457
    Age: 0
    Via: 1.1 varnish-v4
    Transfer-Encoding: chunked
    Accept-Ranges: bytes
    Content-Type: application/xml; charset=utf-8
Content-Type: application/xml; charset=utf-8
Content-Length: -1
END---------------------------------------------------

From the SSL scan, the site allows only weak ciphers and that is not allowed by default with .NET 5 (documented as breaking change)

I added configuration with default ubuntu20 + change suggested by @vcsjones
openssl.sec1.cnf.txt

I also look again at the config you posted in #44191 @ClimberBear and it is not right e.g. OpenSSL is sensitive to ordering and that is reason why it did not work for you. Here is updated configuration with your original changes.
openssl.modified.cnf.txt

I suspect @ChrisIsidora has same issue e.g. the ordering is not right but it is hard to tell without details. (e.g. actual config and possibly URL)

Aside from modifying system configuration, it should be also possible to use CipherSuitesPolicy to enforce weak ciphers.

@ClimberBear
Copy link
Author

I did what @vcjones suggested on fresh Ubuntu20.04 installation and it works as expected (failing with defaults):
From the SSL scan, the site allows only weak ciphers and that is not allowed by default with .NET 5 (documented as breaking change)

I added configuration with default ubuntu20 + change suggested by @vcsjones
openssl.sec1.cnf.txt

REALLY THANK YOU!!

It worked for me too!

I have still a couple of doubts. When you say openssl is order sensitive, do you mean the order of the cipherstrings in cipherstring attribute, or you mean that CipherString and Ciphersuites has to be below [tls_defaults] section?

Thanks, thanks again!

@ChrisIsidora
Copy link

@wfurt I'm also curious as to what ordering you are referring to. Furthermore I did try the CipherSuitesPolicy back then without any luck.

@wfurt
Copy link
Member

wfurt commented Dec 23, 2020

In the sample @ClimberBear posted in #44191, [openssl_init], [ssl_config] and [tls_defaults] sections are at beginning of the config. All I really did was moving them to the end. There, may be some place in the middle but I know the end works. If exact same lines are in wrong location, the configuration is ignored silently. (and that is reason why I try to guide people to verify changes with Wireshark to see that the config change actually changed the handshake) On the same note, the openssl_conf= must be before any of the [] section AFAIK.

 diff -u openssl.cnf openssl.modified.cnf.txt
--- openssl.cnf	2020-12-23 14:49:20.000000000 -0800
+++ openssl.modified.cnf.txt	2020-12-23 10:40:27.000000000 -0800
@@ -15,18 +15,6 @@
 # CipherString = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES128-SHA256
 openssl_conf = openssl_init

-[openssl_init]
-ssl_conf = ssl_config
-
-[ssl_config]
-system_default = tls_defaults
-
-[tls_defaults]
-CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
-Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
-MinProtocol = TLSv1.2
-
-

 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
@@ -366,3 +354,14 @@
 ess_cert_id_alg		= sha1	# algorithm to compute certificate
 				# identifier (optional, default: sha1)

+[openssl_init]
+ssl_conf = ssl_config
+
+[ssl_config]
+system_default = tls_defaults
+
+[tls_defaults]
+CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
+MinProtocol = TLSv1.2
+

I think the suggestion @vcsjones posted is simples to follow.

It is possible that your server needs different ciphers @ChrisIsidora but I think it is important to verify that your configuration changes are parsed properly. Let me know if that make sense.

@ClimberBear
Copy link
Author

In the sample @ClimberBear posted in #44191, [openssl_init], [ssl_config] and [tls_defaults] sections are at beginning of the config. All I really did was moving them to the end. There, may be some place in the middle but I know the end works. If exact same lines are in wrong location, the configuration is ignored silently. (and that is reason why I try to guide people to verify changes with Wireshark to see that the config change actually changed the handshake) On the same note, the openssl_conf= must be before any of the [] section AFAIK.

Thanks again, @wfurt

The manual is really hard to find and hard to understand. I'll try to do after season holidays
It is here: openssl.cnf manual

Merry Christmas! (if apply)

@ghost ghost locked as resolved and limited conversation to collaborators Jan 23, 2021
@karelz karelz added this to the 6.0.0 milestone Jan 26, 2021
@karelz karelz removed the untriaged New issue has not been triaged by the area owner label Oct 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Net.Security
Projects
None yet
Milestone
6.0.0
Development

No branches or pull requests
6 participants
@vcsjones @karelz @ChrisIsidora @wfurt @ClimberBear @Dotnet-GitSync-Bot