Intermittent Issue getting error from DLL related to network | SSL/TLS | remote certificate

[codebysree]

Hi Team

I am using Google API's dll to fetch my earning , installstats and some other report using the dll code. It was working fine till 2 week back, suddenly the program started throwing exceptions related to :-

• The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
• The remote certificate is invalid according to the validation procedure.

Google.Apis.Auth.OAuth2.TokenRefreshManager.GetAccessTokenForRequestAsync(CancellationToken cancellationToken) in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/TokenRefreshManager.cs:line 114 at void System.Threading.Tasks.ContinuationResultTaskFromResultTask<TAntecedentResult, TResult>.InnerInvoke() at Task<string> Google.Apis.Auth.OAuth2.TokenRefreshManager.GetAccessTokenForRequestAsync(CancellationToken cancellationToken)+(Task<TokenResponse> task) => { } in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/TokenRefreshManager.cs:line 109 at T Google.Apis.Auth.OAuth2.TokenRefreshManager.ResultWithUnwrappedExceptions<T>(Task<T> task) in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/TokenRefreshManager.cs:line 174 at async Task<TokenResponse> Google.Apis.Auth.OAuth2.TokenRefreshManager.RefreshTokenAsync() in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/TokenRefreshManager.cs:line 129 at async Task<bool> Google.Apis.Auth.OAuth2.ServiceAccountCredential.RequestAccessTokenAsync(CancellationToken taskCancellationToken) in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/ServiceAccountCredential.cs:line 212 at async Task<TokenResponse> Google.Apis.Auth.OAuth2.Requests.TokenRequestExtenstions.ExecuteAsync(TokenRequest request, HttpClient httpClient, string tokenServerUrl, CancellationToken taskCancellationToken, IClock clock) in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth/OAuth2/Requests/TokenRequestExtenstions.cs:line 51 at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<HttpResponseMessage> Google.Apis.Http.ConfigurableMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) in C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Core/Http/ConfigurableMessageHandler.cs:line 484

We are using :- ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Not able to find the exact problem, Can you please help to find out what is the actual problem and from where it is occuring?

These are libraries i am using for the same.

[jskeet]

It looks like you're not actually using those versions at runtime, given that the stack trace refers to a version of Google.Api.Core/Google.Apis from January 2019. (I'm surprised at the Google.Api.Gax.Rest part of the stack trace as well.)

Please provide a complete but minimal repro - my guess is that it's something to do with how your dependencies have been specified, but currently we have no information at all about what runtime you're using or what your project files look like.

I'd also say that explicitly specifying Tls11 and Tls12 may well be part of the problem here - as far as I'm aware, those are both obsolete.

Without more information I doubt that we'll be able to help you, but if you can provide a minimal but complete repro, we should be able to make progress.

[codebysree]

We are using .Net Framework 4.6.2 console application.

The issue is very intermittent , it occurs at some occasion only, sometimes it works.

[jskeet]

Okay, that's surprising... but I'm still going to need a minimal repro in order to help further, as at the moment it looks like you're using very old versions of some dependencies, and we can't tell why.

[jskeet]

Sorry, but that's not a complete repro. In particular, the most important part of this is your project file and any assembly binding redirection you've got configured.

I'd really like to have something (a zip file or GitHub repo) where I can fetch the source, build it, amend it as little as is necessary to use a different credential, then see the problem.

(As a side note, if you're just trying to use Storage, I'd strongly recommend using Google.Cloud.Storage.V1 as a much simpler way of accessing the API. It uses Google.Apis.Storage.v1 under the hood.)

[codebysree]

Actually the code was working well last month, since then no changes has been made to project. But suddenly it is getting intermittent error related to TLS/SSL.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Is it possible that its something related to Google.APi ?

[jskeet]

It's entirely possible that you're trying to use a deprecated security protocol, particularly if you're using very old libraries, and that something in the network chain (either Google or potentially a proxy) could have prevented that. But again, until you provide me with a way of reproducing the issue, I can't tell.

[codebysree]

Since we are using the below code, it can take the latest protocol i guess .

ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

If it was security issue, why does it happen so intermittent.? 😕

[jskeet]

Since we are using the below code, it can take the latest protocol i guess .

Well, I don't know why you'd explicitly specify 3 obsolete protocols. I don't know the impact of that, either. I suspect that ServicePointManager.SecurityProtocol is 0 before, so you're basically saying "only use these obsolete protocols" instead of allowing the system to use the default protocols. I would advise you to remove that code unless you have a very good reason to specify it - or at least also specify SecurityProtocolType.Tls13 as well.

If it was security issue, why does it happen so intermittent.? 😕

I don't know, and I'm completely guessing without a way of reproducing the problem.

[jskeet]

Just wanted to if this issue is something related to google's api or our code ?

I strongly suspect that it's your code, for the reasons I've already said - and that your dependencies aren't up-to-date either, as I've already said. I strongly recommend that you try removing the statement that forces your code to use obsolete security protocols.

But aside from that, we need to have a way of reproducing the issue. Simply adding more comments which don't provide the information we need is not going to help.

[codebysree]

Btw , On our project all the google dependencies are up to date. We cannot find my new update from NUGET.

[jskeet]

Btw , On our project all the google dependencies are up to date.

Then please explain why your stack trace includes C:/Apiary/2019-01-31.11-23-48/Src/Support/Google.Apis.Auth. That looks like it's from Google.Apis.Auth version 1.38.0 (which was released on January 31st 2019). The PDB file for Google.Apis.Auth version 1.38.0 does mention that directory - the PDB file for Google.Apis.Auth version 1.68.0 does not mention that directory.

Please, please, please:

• Try the fix I've already suggested, removing the assignment to ServicePointManager.SecurityProtocol
• If that doesn't work, provide a complete way of reproducing the problem

If there are additional comments which ignore the above, I will close the issue.