Open xiaoyuvax opened 3 years ago
bartonjs
commented
3 years ago Are you perhaps using a DSA server certificate (integer DSA, not ECDSA)? In 5.0 our default supported ciphersuites changed (https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography#default-tls-cipher-suites-for-net-on-linux) and only RSA and ECDSA-based server identity certificates are supported with this default list.
xiaoyuvax
commented
3 years ago I used a RSA 1024bits public Key for the server certificate , according to your comment, RSA is still supported? Sslstreams from later requests can still be established after every initial connection throwing this certificate unknown exception, i guess it was thrown in the initial negotiation process, and openssl allowed it pass somehow,as suggests my certificate survived the certificate check somehow. Anyway that exception is annoying, and i also feel the initial request takes longer (to negotiate) than in core 3.x.
SslStream throws OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
I wrote a simple http server with SslStream which works fine under .net core 3.1, but throws this OpenSslCryptographicException since i've upgraded to .net5.
public SslProtocols AllowedSslProtocols { get; set; } = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11;---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan
1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Security.SslStream.ProcessAuthentication(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken) at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions) at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at NHttp.HttpClient..ctor(HttpServer server, TcpClient client) 20-11-17_17:49:51[Debug]HttpClient:System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at System.Net.Security.SslStream.ProcessAuthentication(Boolean isAsync, Boolean isApm, CancellationToken cancellationToken) at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions) at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)I've found this link concerning SslStream breaking changes: https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography but didn't get a clue.