Unable to connect to server on localhost using self-signed cert

[tbaggett]

Hey Alex, thanks again for a rock-solid package. It has been working great in our app for almost a year now!

I need to work on the API that our mobile app interacts with, so I've set up the server project on my dev machine, a Mac running Visual Studio for Mac on MacOS Catalina 10.15.5.

The API project is ASP.Net Core 2.11-based, running on https://localhost:5001. It is using the self-signed dev certificate generated by ASP.Net Core.

When I launch the API project, the initial page loads as expected in the browser and the certificate is shown as being valid in both Chrome and Safari.

However, I get errors when I try to connect to it from the mobile app running in the iOS Simulator. I added "DangerousAcceptAnyServerCertificateValidator = true" to the TLSConfig initialization but it made no difference.

We're using the latest modernhttpclient-updated release, v3.4.3. Do you have any suggestions of additional steps needed to get the connection to work?

On the app side, I see these errors in the output:

ATS failed system trust Connection 7: system TLS Trust evaluation failed(-9802) Connection 7: TLS Trust encountered error 3:-9802 Connection 7: encountered error(3:-9802) HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x7f8b3cb9b000) s: localhost i: localhost>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://localhost:5001/, NSErrorFailingURLStringKey=https://localhost:5001/, NSUnderlyingError=0x600002f8c8a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600001359f80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7f8b3cb9b000) s: localhost i: localhost>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask .<4>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<4>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001359f80>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

On the server side, I see:

dbug: HttpsConnectionAdapter[1] Failed to authenticate HTTPS connection. System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Net.Security.SslState.ThrowIfExceptional() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Net.Security.SslStream.<>c.b__51_1(IAsyncResult iar) at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization)

Thanks so much!

[alexrainman]

Sorry for the delayed response. Please take a look at this: https://github.com/alexrainman/ModernHttpClient#dangerous-zone

[tbaggett]

Hi Alex, thanks for getting back to me. No worries about the delayed response. I'm just now getting to circle back around to this after you replied.

I already had DangerousAcceptAnyServerCertificateValidator set to true in my TLSConfig initialization. I verified it is set as expected after the HttpClientHandler is initialized.

Do you have any other suggestions of how to address this? Thanks again.

I changed my API localhost port from 5001 to 5010 since my original question, but otherwise the info remains the same as in my original question. I'm using the latest version of your package, 3.4.3. Here's the app's iOS error messaging:

2020-11-10 12:47:24.078899-0600 [27703:1600518] ATS failed system trust 2020-11-10 12:47:24.079048-0600 [27703:1600518] Connection 5: system TLS Trust evaluation failed(-9802) 2020-11-10 12:47:24.079192-0600 [27703:1600518] Connection 5: TLS Trust encountered error 3:-9802 2020-11-10 12:47:24.079299-0600 [27703:1600518] Connection 5: encountered error(3:-9802) 2020-11-10 12:47:24.080467-0600 [27703:1600518] Task <0BC597E1-3102-42BE-A4FC-478AE42F88FF>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) 2020-11-10 12:47:24.084392-0600 [27703:1600518] Task <0BC597E1-3102-42BE-A4FC-478AE42F88FF>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x7fa8ef05ca00) s: localhost i: localhost>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://localhost:5010/.well-known/openid-configuration, NSErrorFailingURLStringKey=https://localhost:5010/.well-known/openid-configuration, NSUnderlyingError=0x6000002f0ea0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600003fe47e0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7fa8ef05ca00) s: localhost i: localhost>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <0BC597E1-3102-42BE-A4FC-478AE42F88FF>.<1>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <0BC597E1-3102-42BE-A4FC-478AE42F88FF>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600003fe47e0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

[tbaggett]

Another small update - this is working as expected on Android using the Android emulator, although I do have to set the IP address as "10.0.2.2:5010" instead of "localhost:5010", but that is expected.