SSL errror when upgrading to .NET core 3.1

[jfalameda]

Hi,

We are using .NET core on an API gateway in combination with service fabric. As a result of upgrading .NET core from 2.0 to 3.1 https has stopped working.

This is an extra of a CURL call displaying the error:

• Trying xxxxxxx...
• Connected to xxxxxx.se (xxxxx) port 8081 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /usr/local/etc/openssl@1.1/cert.pem CApath: /usr/local/etc/openssl@1.1/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• error:1408F10B:SSL routines:ssl3_get_record:wrong version number
• Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number It is an issue hard to reproduce. Could this be caused by an incompatibility with the service fabric listeners? I see that TSL1.3 has being enforced.

Any ideas?

OS: Windows Server 2016 Service fabric:

<PackageReference Include="Microsoft.ServiceFabric" Version="6.2.283" />
<PackageReference Include="Microsoft.ServiceFabric.AspNetCore.Kestrel" Version="3.1.283" />
<PackageReference Include="Microsoft.ServiceFabric.Data" Version="3.1.283" />
<PackageReference Include="Microsoft.ServiceFabric.Services" Version="3.1.283" />
<PackageReference Include="Microsoft.ServiceFabric.Services.Remoting" Version="3.1.283" />

Thanks, José.

[jfalameda]

I noticed the content was served as HTTP despite the HTTPS initialization. I forced .NET to use TLSv1.2 and it worked on a single node. Now the problem I am facing is that in production only about 1 out of 5 times (approx.) I get response through HTTPS the rest are just plain HTTP responses. This is very confusing I am starting to think that this could be a Service fabric issue.

This is my configuration changes:

I added

var endpointDesc = serviceContext.CodePackageActivationContext.GetEndpoint(endpoint);

                        // Added to enforce TLSv1.2
                        opt.ConfigureHttpsDefaults(listenOptions =>
                        {
                            listenOptions.SslProtocols = SslProtocols.Tls12;
                        });

                        switch (endpointDesc.Protocol)
                        {
                            case EndpointProtocol.Http:
                                opt.Listen(IPAddress.Any, endpointDesc.Port);
                                break;
                            case EndpointProtocol.Https:
                                opt.Listen(IPAddress.Any, endpointDesc.Port, async listenOptions =>
                                {
                                    try
                                    {
                                        var cert = await CertificateManager.GetCertificate(
                                            "*****",
                                            string.Empty
                                        );

                                        listenOptions.UseHttps(cert);
                                    } catch
                                    {
                                        // TODO: Add logs
                                    }
                                });
                                break;
                            default:
                                throw new ArgumentOutOfRangeException();
                        }

// Added as NoDelay property has been deprecated on .NET core 3.1
.UseSockets(x => {
                    x.NoDelay = true;
                });

Cluster version: 7.1.456.9590 Managed cluster on Azure running on windows 2016.

Update: Forcing it to use TLSv1.2 just makes it work sometimes, even on a single node. So I suspect this is not a solution and that it was a coincidence it started working.

[kambani]

@javiercn