ValidateCertificates=false no longer works in V3.2.0 or V3.2.1, however it works in V3.1.3

[angusmillar]

Hi Guys, excellent library and super useful for us.

We are running V3.1.3 of Steeltoe.Extensions.Configuration.ConfigServerCore, without issue.

However, as soon as we upgrade to V3.2.0 or even the latest V3.2.1 we then encounter the following application exception (See below) on startup.

It appears the library is attempting to validate our config server's certificate even though we explicitly have configured it not to, by using the ValidateCertificates=false Steeltoe configuration property.

Here is our appsetting.json section with this config.

"spring": {
    "application": {
      "name": "Sonic.Orders.HL7.InboundOrderService"
    },
    "cloud": {
      "config": {
        "enabled": true,
        "uri": "[Removed for security privacy]",
        "validateCertificates": false,
        "username": "root",
        "password": "[Removed for security privacy]",
        "failFast": true
      }
    }
  },

Environment:

• Steeltoe Version 3.2.0 or 3.2.1 (It works in V3.1.3)
• Platform: not too sure but its not Azure
• OS: Client app running on Windows 10 Enterprise 2016 LTSB
• .NET Version: .NET Core 6.0
• Any other library versions to note: I'm also using Serilog.AspNetCore V6.1.0 to log, and pass in an ILoggerFactory to the .AddConfigServer() method on startup. Back in Steeltoe V3.1.3 this then logs as follows, however, in V3.2.0 or 3.2.1 no such logging is seen, just the exception.

Logging seen in working version V3.1.3 on startup: 2022-12-09 12:59:39.274 +10:00 [INF] Fetching config from server at: https://[Removed for security privacy] 2022-12-09 12:59:40.373 +10:00 [INF] Located environment: Sonic.Orders.HL7.InboundOrderService, ["uat"], null, null, null

The Exception that is thrown when using V3.2.0 or V3.2.1:

Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerException: Could not locate PropertySource, fail fast property is set, failing
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationProvider.RemoteLoadAsync(String requestUri)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationProvider.DoLoad(Boolean updateDictionary)
   --- End of inner exception stack trace ---
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationProvider.DoLoad(Boolean updateDictionary)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationProvider.LoadInternal(Boolean updateDictionary)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationProvider.Load()
   at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source)
   at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationBuilderExtensions.AddConfigServer(IConfigurationBuilder configurationBuilder, ConfigServerClientSettings defaultSettings, ILoggerFactory logFactory)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationBuilderExtensionsCore.DoAddConfigServer(IConfigurationBuilder configurationBuilder, String applicationName, String environmentName, ILoggerFactory logFactory)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerConfigurationBuilderExtensionsCore.AddConfigServer(IConfigurationBuilder configurationBuilder, IHostEnvironment environment, ILoggerFactory logFactory)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerHostBuilderExtensions.<>c__DisplayClass1_0.<AddConfigServer>b__0(HostBuilderContext context, IConfigurationBuilder config)
   at Microsoft.AspNetCore.Builder.ConfigureHostBuilder.ConfigureAppConfiguration(Action`2 configureDelegate)
   at Steeltoe.Extensions.Configuration.ConfigServer.ConfigServerHostBuilderExtensions.AddConfigServer(IHostBuilder hostBuilder, ILoggerFactory loggerFactory)
   at Program.<Main>$(String[] args) in C:\Repos\Sonic.ConfigServerExample\Sonic.ConfigServerExample.Api\Program.cs:line 17

Thanks for considering guys.

[TimHess]

Hi @angusmillar, thanks for the bug report

We haven't had a chance to look into the certificate validation piece yet, but there is a bug with logging in here that is fixed for 3.2.2 which should ship soon, or you can pull from the dev feed if you'd like to see more logging from 3.2

You can use the dev feed with a nuget.config that looks something like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="SteeltoeDev" value="https://pkgs.dev.azure.com/dotnet/Steeltoe/_packaging/dev/nuget/v3/index.json" />
    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
</configuration>

[douggish]

I think this might be related to #1178

[bart-vmware]

The implementation of certificate validation (and turning it off) has been heavily refactored in the main branch, which contains the upcoming Steeltoe v4.x. We now have tests for ValidateCertificates=false, so I think this has been fixed.

Please open a new issue if you're still experiencing this when running against the main branch.