search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.38k stars 10k forks source link

[CommandLineTools] Blazor server template example doesn't load in FF due to MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT / SEC_ERROR_INADEQUATE_KEY_USAGE #16614

Closed mrtristan closed 4 years ago

mrtristan commented 4 years ago

win10 1903 build 18362

i'm observing this in a fresh dotnet new blazorserver on firefox dev edition but not chrome. not in a corporate environment and not on an upgraded machine (win10 pro for workstations from machine inception).

chrome: works fine firefox standard: "bypassable" error in that you can go "advanced" and proceed. error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT firefox dev edition: can't get past it. error code SEC_ERROR_INADEQUATE_KEY_USAGE

output from Get-TlsCipherSuite | Format-Table Name:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
TLS_PSK_WITH_AES_256_GCM_SHA384
TLS_PSK_WITH_AES_128_GCM_SHA256
TLS_PSK_WITH_AES_256_CBC_SHA384
TLS_PSK_WITH_AES_128_CBC_SHA256
TLS_PSK_WITH_NULL_SHA384
TLS_PSK_WITH_NULL_SHA256

dotnet --info:

.NET Core SDK (reflecting any global.json):
 Version:   3.1.100-preview1-014459
 Commit:    ac3b59712d

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18362
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.100-preview1-014459\

Host (useful for support):
  Version: 3.1.0-preview1.19506.1
  Commit:  bbf5542781

.NET Core SDKs installed:
  3.0.100 [C:\Program Files\dotnet\sdk]
  3.1.100-preview1-014459 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.0-preview1.19508.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.0-preview1.19506.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.0-preview1.19506.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

tried:

dotnet dev-certs https --clean
dotnet dev-certs https --trust

related at some level: https://github.com/aspnet/AspNetCore/issues/15123

javiercn commented 4 years ago

@mrtristan thanks for contacting us.

@anurse You've been handling some of these, aren't you?

analogrelay commented 4 years ago

Yep, and I asked @mrtristan to file a new bug for this issue. I'll put this in servers as well and we can help investigate further.

mrtristan commented 4 years ago

@jkotalik is that more-info-needed to me?

jkotalik commented 4 years ago

Apologies, misread the issue. Didn't realize this was forked from another thread.

@anurse has investigated these issues in the past. I'll let him follow up.

analogrelay commented 4 years ago

What version of Firefox are you on? If you aren't already, can you try this on Firefox 71? There was a similar looking bug (https://github.com/aspnet/AspNetCore/issues/14528) that turned out to be a Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1570222

If it's still not working on Firefox 71, can you provide a network trace using a tool like Wireshark? The trace will contain all network traffic on your machine during the run so I'd suggest sharing it privately. You can email me at [my github username]@microsoft.com to share the trace (you may need to upload it to a file store like OneDrive/Dropbox/etc. if it's large).

Essentially what I want to look at is the TLS handshake and which cipher suite it ends up negotiating. Usually this issue occurs because the TLS handshake ended up negotiating a cipher suite that HTTP/2 explicitly disallows.

mrtristan commented 4 years ago

@anurse for whatever it's worth, i received an update to the developer edition of FF since this issue was opened. Dev edition now works fine, but regular FF reports MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

latest dev edition is 71.0b7, latest regular FF is 70.0.1

i'd be fine closing this and saying FF is moving in the right direction, but if you'd like data on the standard FF version i'd be happy to go the wireshark route

analogrelay commented 4 years ago

It sounds like it's the Firefox bug then. I'll close this. If this reoccurs after the Firefox 71 update, let us know and we can revisit!