Author: | maxarm |
---|---|
Assignees: | - |
Labels: | `area-System.Net.Http`, `untriaged` |
Milestone: | - |
Open maxarm opened 2 years ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.
Author: | maxarm |
---|---|
Assignees: | - |
Labels: | `area-System.Net.Http`, `untriaged` |
Milestone: | - |
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones See info in area-owners.md if you want to be subscribed.
Author: | maxarm |
---|---|
Assignees: | - |
Labels: | `area-System.Security`, `untriaged` |
Milestone: | - |
What is your intermediate and root certificate?
intermediate is the 4th in above's list root is the 3rd in above's list the 1st and 2nd are equal (redundant?) and are the server certificates
@wfurt did you have any time to investigate further. Or any workaround ideas?
I tried again with a new docker image with .net 6.0.7 instead of 6.0.6. However, still received the error "tlsv1 alert unknown ca". One difference compared to 6.0.6 however was that now the ChainBuild.Status was true instead of false.
Sorry for the delay @maxarm, is this still problematic for you? Is there any chance you can try 8.0? There is now API that allows you to specify the intermediates explicitly. (and it is more reliable and performant)
Description
I am trying to establish a communication from our client to a server using mTLS and therefore send certificates from client to the server. Server expects 2 certs (1 Leaf + 1 Intermediate) and I'm using the HttpClientHandler to send the certificates from a pem file. This worked until .net 5.0.14; but stopped working with .net 5.0.15 and does not work with any .net 6.0.x version. I can see on the Wireshark that only leaf certificate is written on the wire for .net 6.0.x. For .NET 5.0.15ff even not a single mTLS handshake entry is visible in Wireshark.
Platform - Linux Container
This issue is hindering us to migrate to .NET 6.
Expected behavior
Client sends the leaf and intermediate certificate to the server and client/server communication works.
Actual behavior
The actual behavior was logged with Wireshark.
mcr.microsoft.com/dotnet/runtime:5.0.14
Client sends the leaf and intermediate certificate to the server when running in docker container and hence the communication works.
mcr.microsoft.com/dotnet/runtime:6.0.x
Client sends only the leaf certificate but no intermediate to the server when running in docker container resulting in an Unknown CA TLS error.
mcr.microsoft.com/dotnet/runtime:5.0.17
Client performs even no mTLS handshake when running in docker container resulting in failing communication.
Additional information
the certificates of the pem file are installed in the docker container using update-ca-certificates
.net 5.0.14 container runs "OpenSSL 1.1.1d 10 Sep 2019" whereas .net 5.0.15/.net 6.0.x containers run "OpenSSL 1.1.1n 15 Mar 2022"
executing the following curl-command works in every of the 3 containers, performs a proper handshake and receives the response
without the --insecure switch the following error is logged in all 3 different containers
the client code is
.net 5.0.14: X509Chain.Build(cert) results in
.net 5.0.17/.net 6.0.x: X509Chain.Build(cert) results in
.net 6.0.6 exception
.net 5.0.17 exception
Certificates of PEM file