Difference between revisions of "HTTPS Connection Issues"
From MgmtWiki
(→Context) |
(→References) |
||
| Line 44: | Line 44: | ||
One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher. | One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher. | ||
* Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>] | * Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>] | ||
| + | |||
| + | ===PowerShell Ignore SSL Errors=== | ||
| + | |||
| + | add-type @" | ||
| + | using System.Net; | ||
| + | using System.Security.Cryptography.X509Certificates; | ||
| + | public class TrustAllCertsPolicy : ICertificatePolicy { | ||
| + | public bool CheckValidationResult( | ||
| + | ServicePoint srvPoint, X509Certificate certificate, | ||
| + | WebRequest request, int certificateProblem) { | ||
| + | return true; | ||
| + | } | ||
| + | } | ||
| + | "@ | ||
| + | [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy | ||
| + | |||
| + | $result = Invoke-WebRequest -Uri "https://trustregistry.us | ||
==References== | ==References== | ||
Revision as of 20:19, 21 September 2021
Contents
Full Title or Meme
Like most security protocols HTTPS can start failing for all sorts of reasons, but issues with upgraded security seems to be most common.
Context
- For HTTPS to work the certificate (and key) used to sign the TLS (SSL) connection packets must match one of the certs in the cert:\localmachiroot folder. That means that the fingerprint (hash) of the root key must match the signing key.
Issues
Net Core Console Apps
Here are the steps:
- Create a Certificate Signing Request (CSR).
- Have the CSR signed by the server.
- Get the signed certificate.
- Include the signed certificate in the HTTP request.
- Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.
Troubleshooting steps in order (do not skip if a certain step is not successful):
- Test with HTTP
- Test with HTTPS (one-way authentication)
- Test with HTTPS (mutual authentication)
PowerShell Invoke-xxxMethod
$r = Invoke-RestMethod "https://trustregistry.us/csp" -Method Post -Body $j -ContentType "application/jose"
$r
The registry service https://localhost:5035/csp could not be found. Exception: The SSL connection could not be established, see inner exception.
or on AWS
$r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body $j -ContentType "application/jose"
Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:6
+ $r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher.
- Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]
PowerShell Ignore SSL Errors
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$result = Invoke-WebRequest -Uri "https://trustregistry.us
