How to ignore SSL validation in .net core 2.1

I am trying to call a web service that is deployed on a Linux Server that has a self-signed certificate from an application developed in .net core and deployed on an IIS server (Windows server 2012).

But when I try to call the endpoint the next error is thrown:

"Message": "The SSL connection could not be established, see inner exception.", "Description": "InnerError : System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.ComponentModel.Win32Exception: Mensaje recibido inesperado, o bien su formato es incorrecto\r\n --- End of inner exception stack trace ---\r\n at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)\r\n at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)\r\n at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Net.Security.SslState.ThrowIfExceptional()\r\n at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)\r\n at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)\r\n at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)\r\n at System.Net.Security.SslStream.<>c.b__47_1(IAsyncResult iar)\r\n at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) | stackTrace : at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)\r\n at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)\r\n at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)\r\n at ReservasProxy.Data.APIConnection.CallXMLFormDataApiPostAsyc(String body) in C:\gitProjects\ResevasProxy\ReservasProxy\ReservasProxy\Data\APIConnection.cs:line 181\r\n

I already try the next solutions but they didn´t work.

Solution 1 :

          using (var httpClientHandler = new HttpClientHandler())
        {
            httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
            // Make your request...
            //send request
            using (var httpClient = new HttpClient(httpClientHandler))
            {

                var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
                HttpResponseMessage response = await httpClient.PostAsync(_url, content);
                //var res = await response.Content.ReadAsAsync<T>();


            }


        }

Solution 2:

            //send request
        using (var httpClient = new HttpClient())
        {
             ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
            var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
            HttpResponseMessage response = await httpClient.PostAsync(_url, content);

        }

Solution 3: Trying to import the certificate and then make the call but still not working.

const string certPath = @"C:\soaProdcer.cer";    
var handler = new HttpClientHandler
            {
                ClientCertificateOptions = ClientCertificateOption.Manual,
                SslProtocols = System.Security.Authentication.SslProtocols.Tls
            };
            handler.ClientCertificates.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(certPath));

            //send request
            using (var httpClient = new HttpClient(handler))
            {
                var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
                HttpResponseMessage response = await httpClient.PostAsync(_url, content);

            }

I got the certificate using OpenSSL

>openssl s_client -showcerts -connect serversoa:443

No client certificate CA names sent
---
SSL handshake has read 774 bytes and written 493 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 4E0F69C75B8F041101562F7E9B3EA349
    Session-ID-ctx:
    Master-Key: 61A916A9B8AF26281B5F7A0138DF5E4C2A4B83995E0B3FDD2274BAD0D8E3C2B5E98AA7CCB48A6543F6814C2540B18848
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1558979896
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

I imported the certificate into the IIS server into the trusted root certification authorities.

I don't remember exactly the link of Microsoft tell you about this. Your above solutions work well with older asp.net core version. This is my solution with the latest ASP.NET Core that I've implemented for my project. I hope it helps you.

services.AddHttpClient<IYourService, YourService>()
    .ConfigurePrimaryHttpMessageHandler(sp => new HttpClientHandler
    {
        AllowAutoRedirect = false,
        ServerCertificateCustomValidationCallback = (message, certificate2, arg3, arg4) => true,
        SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12
    });

Please also read about HttpClientFactory: https://docs.microsoft.com/en-us/dotnet/standard/microservices-architecture/implement-resilient-applications/use-httpclientfactory-to-implement-resilient-http-requests

Ignoring SSL Certificate Errors On .NET Core On HttpClient, On .NET Core On HttpClient. Written by William Roush on December 20, 2016 at 8:28 pm. Had a certificate expire at 8PM EST tonight on a critical project I was  FYI, after spending many hours on this as well, I updated from .NET core 2.0 to .NET core 2.1 and my issues with self signed certificates disappeared. I think it has to do with the new SocketsHandler they added, but I'm not sure. So getting an identity token from IdentityServer4 with HttpClient and the provided Nuget package now both work.

The error does not indicate a trouble with the certificate CA authority, but rather a response from a server that is not expected for the TLS to be established.

As the author has figured out the client supported 1.2 and the server 1.0 and it caused the trouble.

P.S. I would recommend using only TLS 1.2 if that is the option with browser support that you need to handle. (only old versions do not support 1.2.)

Ignore HTTPS issues with HTTPClient in .NET core, The api is using a self-signed certificate to make it work over https. This would generate some https/ssl errors that would cause my HttpClient not  I'm struggling to get my Windows 8 application to communicate with my test web API over SSL. It seems that HttpClient/HttpClientHandler does not provide and option to ignore untrusted certificates

As Ilya said it wasn´t a problem with the certificate CA authority. The problem was that the client was trying to use a different version of TLS (1.2) The solution was to specify the TLS version.

using (var httpClientHandler = new HttpClientHandler())
            {
                httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return true; };
                httpClientHandler.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
                //send request
                using (var httpClient = new HttpClient(httpClientHandler))
                {
                    var content = new StringContent(body, Encoding.UTF8, "application/soap+xml");
                    HttpResponseMessage response = await httpClient.PostAsync(_url, content);

                }
            }

I used Wireshark to sniffer the traffic and see what was going on...

Client sending hello with version, not supported

The server closing the connection


After finishing the test in my computer and the tests were successful I deploy the application on IIS server. When I started testing my application on the server it started throwing the same exception as before.

Why?

It turned out that the server had deactivated the cipher (RC4) As the next figure shows.

So if you are using Windows like me you just need to check the ciphers that the certificate is using. As I mentioned before the Linux server was using a CR4 cipher in the certificate

Downstream skip SSL/certificate validation per configuration · Issue , Net.Http.CurlException: Peer certificate cannot be authenticated with given CA Next would to test the same on dotnet core 2.1, the release should be #309 allow users to ignore ssl warnings, not sure this is advisable #325. The .NET Core SDK includes an HTTPS development certificate. The certificate is installed as part of the first-run experience. For example, dotnet --info produces a variation of the following output: ASP.NET Core ----- Successfully installed the ASP.NET Core HTTPS Development Certificate.

Disable Certificate Validation Check .net core 2+ · Issue #3324 , Hello Currently I try to call a soap service with .net core and since my server has weak/old certs I try to disable the certificate check. I tried to use:  Next would to test the same on dotnet core 2.1, the release should be close so i think i wait and do the tests with the release instead of a preview. What would also be interessting is to repeat on a different linux. As far as i understood the behavior is based on the cURL build (with or without openssl, etc.) used in the particular distro.

Configure certificate authentication in ASP.NET Core, On Windows, you can add the root certificate to the Certificate Store using NET Core, WPF, UWP, TypeScript, etc. .NET allows you to override the default certificate validation, but many people use it to basically disable the  Possible duplicate of bypass invalid SSL certificate in .net core – Manoj Choudhari Mar 25 '19 at 19:33 @ZorgoZ it would suffice, and I'm connecting to the http port, but it still throws an exception – GoodOldJack12 Mar 25 '19 at 19:33

Custom certificate validation in .NET, NET Core 2.1 which makes local SSL super easy. After installing from -ep|--​export-path Full path to the exported certificate -p|--password  Upvoted because I wasn't looking for an answer relating to ASP.NET Core, and wanted to find an answer about ASP.NET (Framework). Unfortunately, even having set the Enable SSL setting to False, the damn thing keeps trying to open on HTTPS which I don't have set up so this hasn't helped anyway. – Ortund Oct 8 '18 at 22:20

Comments
  • First solution should work, it did for me for sure, more details here: stackoverflow.com/questions/38138952/…. Do you just get the same error? Can you check if the callback is called at all
  • I don't really understand your error message, but using google translate does not indicate this is a CA trust issue. Rather your server is responding in a non-standard way or something
  • But if I change the endpoint to a not secure HTTP it works. The First solution does not work.
  • You were right @IlyaChernomordik I used Wireshark to sniffer the traffic and I realize that the TLS version was wrong. My client was trying to initialize the handshake with TLS 1.2 and the server was closing the connection because it was expecting TLS v1.0
  • Added an answer about it