search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.97k stars 4.66k forks source link

Docker : OpenSslCryptographicException: error:0A000410:SSL routines::sslv3 alert handshake failure #107172

Closed 1KOD closed 2 weeks ago

1KOD commented 2 weeks ago

I have left no method untried for this problem but to no avail.

A Simple Line of Code

var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://servis.turkiye.gov.tr/services/g2g/kdgm/test/uetdsesya");
await httpClient.SendAsync(request);

Screen Recording

devenv_Ogvnx4QAw7

My program is going live and I need urgent help. Thanks to everyone in advance.

rzikm commented 2 weeks ago

This seems to be the same issue as in https://github.com/dotnet/runtime/issues/98797

The server supports only weak RSA key exchange, see e.g. SSL Labs https://www.ssllabs.com/ssltest/analyze.html?d=servis.turkiye.gov.tr

image

In the aspnet:8.0 Docker image, no explicit default for cipher suites is configured in /etc/ssl/openssl.cnf, therefore, .NET applies a rather opinionated strict default which only allows ECDHE key exchange, so client and server have no common cipher suite to communicate with.

You can workaround this by either

copy config from aspnet:7.0 (where the default config explicitly specifies some chiphers) by adding this to the Dockerfile

COPY --from=mcr.microsoft.com/dotnet/aspnet:7.0 /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf

Or modify the openssl.cnf, following addition should make it work

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=2
1KOD commented 2 weeks ago

This seems to be the same issue as in #98797

The server supports only weak RSA key exchange, see e.g. SSL Labs https://www.ssllabs.com/ssltest/analyze.html?d=servis.turkiye.gov.tr

image

In the aspnet:8.0 Docker image, no explicit default for cipher suites is configured in /etc/ssl/openssl.cnf, therefore, .NET applies a rather opinionated strict default which only allows ECDHE key exchange, so client and server have no common cipher suite to communicate with.

You can workaround this by either

copy config from aspnet:7.0 (where the default config explicitly specifies some chiphers) by adding this to the Dockerfile

COPY --from=mcr.microsoft.com/dotnet/aspnet:7.0 /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf

Or modify the openssl.cnf, following addition should make it work

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=2

Thank you very much, it helped me.