HTTPS Connection Issues
From MgmtWiki
Revision as of 14:35, 22 September 2021 by Tom (talk | contribs) (→Set .NET to Ignore Certificate Errors)
Contents
Full Title or Meme
Like most security protocols HTTPS can start failing for all sorts of reasons, but issues with upgraded security seems to be most common.
Context
- For HTTPS to work the certificate (and key) used to sign the TLS (SSL) connection packets must match one of the certs in the cert:\localmachiroot folder. That means that the fingerprint (hash) of the root key must match the signing key.
Issues
Net Core Console Apps
Here are the steps:
- Create a Certificate Signing Request (CSR).
- Have the CSR signed by the server.
- Get the signed certificate.
- Include the signed certificate in the HTTP request.
- Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.
Troubleshooting steps in order (do not skip if a certain step is not successful):
- Test with HTTP
- Test with HTTPS (one-way authentication)
- Test with HTTPS (mutual authentication)
PowerShell Invoke-xxxMethod
$r = Invoke-RestMethod "https://trustregistry.us/csp" -Method Post -Body $j -ContentType "application/jose"
$r
The registry service https://localhost:5035/csp could not be found. Exception: The SSL connection could not be established, see inner exception.
or on AWS
$r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body $j -ContentType "application/jose"
Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:6
+ $r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher.
- Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]
PowerShell Ignore SSL Errors
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$result = Invoke-WebRequest -Uri "https://trustregistry.us
StatusCode : 200
StatusDescription : OK
Content : <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Trust Registry Home - TrustRegistry</title>...
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Date: Wed, 22 Sep 2021 03:17:41 GMT
Server: Kestrel
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Content-Type, text/html; charset=utf-8], [Date, Wed, 22 Sep 2021
03:17:41 GMT], [Server, Kestrel]}
Images : {@{innerHTML=; innerText=; outerHTML=<IMG class=img-responsive style="WIDTH: 90%" alt="TR is Trust
Registry" src="/images/TRBanner.png" height=120>; outerText=; tagName=IMG; class=img-responsive;
style=WIDTH: 90%; alt=TR is Trust Registry; src=/images/TRBanner.png; height=120}}
InputFields : {}
Links : {@{innerHTML=TrustRegistry; innerText=TrustRegistry; outerHTML=<A class=navbar-brand
href="/?page=%2FIndex">TrustRegistry</A>; outerText=TrustRegistry; tagName=A; class=navbar-brand;
href=/?page=%2FIndex}, @{innerHTML=Home; innerText=Home; outerHTML=<A class="nav-link text-dark"
href="/">Home</A>; outerText=Home; tagName=A; class=nav-link text-dark; href=/},
@{innerHTML=VICAL; innerText=VICAL; outerHTML=<A class="nav-link text-dark"
href="/Home/Certification">VICAL</A>; outerText=VICAL; tagName=A; class=nav-link text-dark;
href=/Home/Certification}, @{innerHTML=Resources; innerText=Resources; outerHTML=<A
class="nav-link text-dark" href="/Home/Resources">Resources</A>; outerText=Resources; tagName=A;
class=nav-link text-dark; href=/Home/Resources}...}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 6888
Set .NET to Ignore Certificate Errors
Add a certificate validation handler. Returning true will allow ignoring the validation error:
ServicePointManager .ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
This is even more useful than it may at first appear. I ran into the OP's problem while using Managed Exchanged Web Services (EWS). I thought that I could not use this answer since I didn't have access to the low-level SOAP calls that were being made by that managed library. But when I took another look at it, I realized ServicePointManager stands on its own. So,I added the above callback before initializing the ExchangeService and it worked like a charm. – Mark Meuer Apr 19 '12 at 21:50
or this way
[Obsolete("Do not use this in Production code!!!",true)]
static void NEVER_EAT_POISON_Disable_CertificateValidation()
{
// Disabling certificate validation can expose you to a man-in-the-middle attack
// which may allow your encrypted message to be read by an attacker
// https://stackoverflow.com/a/14907718/740639
ServicePointManager.ServerCertificateValidationCallback =
delegate (
object s,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors
) {
return true;
};
}
